Class: Ruote::TreeChecker

Inherits:
Object
  • Object
show all
Defined in:
lib/ruote/svc/treechecker.rb

Overview

The TreeChecker service is used to check incoming external ruby code and raise a security error if it contains potentially evil code.

Instance Method Summary collapse

Constructor Details

#initialize(context) ⇒ TreeChecker

Returns a new instance of TreeChecker


38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# File 'lib/ruote/svc/treechecker.rb', line 38

def initialize(context)

  return if context['use_ruby_treechecker'] == false

  checker = Rufus::TreeChecker.new do

    exclude_fvccall :abort, :exit, :exit!
    exclude_fvccall :system, :fork, :syscall, :trap, :require, :load
    exclude_fvccall :at_exit

    #exclude_call_to :class
    exclude_fvcall :private, :public, :protected

    #exclude_raise             # no raise or throw

    exclude_eval              # no eval, module_eval or instance_eval
    exclude_backquotes        # no `rm -fR the/kitchen/sink`
    exclude_alias             # no alias or aliast_method
    exclude_global_vars       # $vars are off limits
    exclude_module_tinkering  # no module opening

    exclude_rebinding Kernel # no 'k = Kernel'

    exclude_access_to(
      IO, File, FileUtils, Process, Signal, Thread, ThreadGroup)

    #exclude_class_tinkering :except => Ruote::ProcessDefinition
      #
      # excludes defining/opening any class except
      # Ruote::ProcessDefinition

    exclude_call_to :instance_variable_get, :instance_variable_set
  end

  stricter_checker = checker.clone
  stricter_checker.add_rules do
    exclude_def    # no method definition
    exclude_raise  # no raise or throw
  end

  # the checker used when reading process definitions

  @def_checker = stricter_checker.clone # and not dup
  @def_checker.freeze

  ## the checker used when dealing with conditionals
  #
  #@con_checker = checker.clone # and not dup
  #@con_checker.add_rules do
  #  exclude_raise # no raise or throw
  #  at_root do
  #    exclude_head [ :block ] # preventing 'a < b; do_sthing_evil()'
  #    exclude_head [ :lasgn ] # preventing 'a = 3'
  #  end
  #end
  #@con_checker.freeze
    #
    # lib/ruote/exp/condition.rb doesn't use this treechecker
    # kept (commented out) for 'documentation'

  # the checker used when dealing with code in $(ruby:xxx}

  @dol_checker = stricter_checker.clone # and not dup
  @dol_checker.freeze

  # the checker used when dealing with BlockParticipant code

  @blo_checker = checker.clone # and not dup
  @blo_checker.add_rules do
    exclude_def    # no method definition
  end
  @blo_checker.freeze

  # the checker used for CodeParticipant

  @cod_checker = checker.clone # and not dup
  @cod_checker.freeze

  freeze
    # preventing further modifications
end

Instance Method Details

#block_check(ruby_code) ⇒ Object


125
126
127
128
# File 'lib/ruote/svc/treechecker.rb', line 125

def block_check(ruby_code)

  @blo_checker.check(ruby_code) if @blo_checker
end

#code_check(ruby_code) ⇒ Object


135
136
137
138
# File 'lib/ruote/svc/treechecker.rb', line 135

def code_check(ruby_code)

  @cod_checker.check(ruby_code) if @cod_checker
end

#definition_check(ruby_code) ⇒ Object


120
121
122
123
# File 'lib/ruote/svc/treechecker.rb', line 120

def definition_check(ruby_code)

  @def_checker.check(ruby_code) if @def_checker
end

#dollar_check(ruby_code) ⇒ Object


130
131
132
133
# File 'lib/ruote/svc/treechecker.rb', line 130

def dollar_check(ruby_code)

  @dol_checker.check(ruby_code) if @dol_checker
end