Ruby：创建沙盒评估程序？ [英] Ruby: creating a sandboxed eval?

问题描述

关于何时应在页面上显示一些内容，我的Rails应用程序具有复杂的规则。我决定通过在Ruby中编写谓词（简单的是/否函数）并将其存储在db中以进行后续评估来实现此目的。

My Rails app has complicated rules about when a bit of content should be displayed on a page or not. I've decided to implement this by writing predicates (simple 'yes/no' functions) in Ruby and storing them in the db for subsequent eval'ing. It it pretty straightforward.

我的主要关注点是安全性：如果恶意者弄清楚如何写数据库，他们可以将任意Ruby代码粘贴到数据库中，然后 您所有的基地都属于我们。

My main concern is security: if a malicious somebody figures out how to write to the db, they could stick arbitrary Ruby code in the db and then 'all your base are belong to us'.

因此，可以创建一个沙盒评估，例如， IO操作已删除？

So is it possible to create an 'sandboxed' eval, for example, which has all IO operations removed?

推荐答案

您可能要检查 taint方法和相关内容。这是一个很好的参考：

You might want to check the 'taint' method and related stuff. This is a good reference:

http://ruby-doc.com/docs/ProgrammingRuby/html/taint.html

尽管如此，我不能为您提供足够的建议反对存储代码并对其进行评估，这是应该避免的安全风险，多数情况下，有一种更简单的方法来解决问题。

Despite that, I can't advise you enough against storing code and evaluating it, it's a security risk that should be avoided and most times there's a simpler way of solving your problems.

如果您需要评估复杂的规则并谓词我建议使用规则引擎来创建不错的DSL。尚未在红宝石中使用过，但对我来说这看起来不错：

If you need to evaluate complex rules and predicates I'd recommend a rule engine to create a nice DSL. Haven't used one in ruby but this one looks good to me:

http://treetop.rubyforge.org/index.html

欢呼声

这篇关于Ruby：创建沙盒评估程序？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！