Class: Shikashi::Privileges

# File lib/shikashi/privileges.rb, line 95
  def initialize
    @allowed_objects = Hash.new
    @allowed_kinds = Hash.new
    @allowed_classes = Hash.new
    @allowed_instances = Hash.new
    @allowed_methods = Array.new
    @allowed_klass_methods = Hash.new
    @allowed_read_globals = Array.new
    @allowed_read_consts = Array.new
    @allowed_write_globals = Array.new
    @allowed_write_consts = Array.new
  end

allow?(klass, recv, method_name, method_id)

[Source]

# File lib/shikashi/privileges.rb, line 182
  def allow?(klass, recv, method_name, method_id)

    m = nil
    m = klass.instance_method(method_name) if method_name

    begin
      return true if @allowed_methods.include?(method_name)

      tmp = @allowed_objects[recv.object_id]
      if tmp
        if tmp.allowed?(method_name)
          @last_allowed = tmp
          return true
        end
      end

      if m
        tmp = @allowed_klass_methods[m.owner.object_id]
        if tmp
          if tmp.allowed?(method_name)
            @last_allowed = tmp
            return true
          end
        end
      end

      if recv.instance_of? Class
        last_class = recv

        while true
          tmp = @allowed_classes[last_class.object_id]
          if tmp
            if tmp.allowed?(method_name)
              @last_allowed = tmp
              return true
            end
          end
          if last_class
            break if last_class == Object
            last_class = last_class.superclass
          else
            break
          end
        end
      end

      last_class = recv.class
      while true
        tmp = @allowed_kinds[last_class.object_id]
        if tmp
          if tmp.allowed?(method_name)
            @last_allowed = tmp
            return true
          end
        end
        if last_class
          break if last_class == Object
          last_class = last_class.superclass
        else
          break
        end
      end

      tmp = @allowed_instances[recv.class.object_id]
      if tmp
        if tmp.allowed?(method_name)
        @last_allowed = tmp
        return true
        end
      end

      false
    rescue Exception => e
      print "ERROR: #{e}\n"
    print e.backtrace.join("\n")
      false
    end
  end

allow_class_definitions()

Defines the permissions needed to declare classes within the sandbox

[Source]

# File lib/shikashi/privileges/classes.rb, line 24
    def allow_class_definitions
      instances_of(Class).allow nil, :inherited, :method_added
      allow_method "core#define_method".to_sym
    end

allow_const_read( *varnames )

Enables the permissions needed to read one or more constants

Example:

  s = Sandbox.new
  priv = Privileges.new

  priv.allow_method :print
  priv.allow_const_read "Object::A"

  A = 8
  s.run(priv, '
  print "assigned Object::A:", A,"\n"
  ')

[Source]

# File lib/shikashi/privileges.rb, line 399
  def allow_const_read( *varnames )
    varnames.each do |varname|
      @allowed_read_consts << varname.to_s
    end

    self
  end

allow_const_write( *varnames )

Enables the permissions needed to create or change one or more constants

Example:

  s = Sandbox.new
  priv = Privileges.new

  priv.allow_method :print
  priv.allow_const_write "Object::A"

  s.run(priv, '
  print "assigned 8 to Object::A\n"
  A = 8
  ')

  p A

[Source]

# File lib/shikashi/privileges.rb, line 378
  def allow_const_write( *varnames )
    varnames.each do |varname|
      @allowed_write_consts << varname.to_s
    end
    self
  end

allow_exceptions()

Define the permissions needed to raise exceptions within the sandbox

[Source]

# File lib/shikashi/privileges/exceptions.rb, line 24
    def allow_exceptions
      allow_method :raise
      methods_of(Exception).allow :backtrace, :set_backtrace, :exception
    end

allow_global_read( *varnames )

Enables the permissions needed to read one or more global variables

Example:

  s = Sandbox.new
  priv = Privileges.new

  priv.allow_method :print
  priv.allow_global_read :$a

  $a = 9

  s.run(priv, '
  print "$a value:", $a, "s\n"
  ')

Example 2

  Sandbox.run('
  print "$a value:", $a, "s\n"
  print "$b value:", $b, "s\n"
  ', Privileges.allow_global_read(:$a,:$b) )

[Source]

# File lib/shikashi/privileges.rb, line 328
  def allow_global_read( *varnames )
    varnames.each do |varname|
      @allowed_read_globals << varname.to_sym
    end

    self
  end

allow_global_write( *varnames )

Enables the permissions needed to create or change one or more global variables

Example:

  s = Sandbox.new
  priv = Privileges.new

  priv.allow_method :print
  priv.allow_global_write :$a

  s.run(priv, '
  $a = 9
  print "assigned 9 to $a\n"
  ')

  p $a

[Source]

# File lib/shikashi/privileges.rb, line 353
  def allow_global_write( *varnames )
    varnames.each do |varname|
      @allowed_write_globals << varname.to_sym
    end

    self
  end

allow_method(method_name)

allow the execution of method named method_name whereever

Example:

 privileges.allow_method(:foo)

[Source]

# File lib/shikashi/privileges.rb, line 177
  def allow_method(method_name)
    @allowed_methods << method_name.to_sym
    self
  end

allow_singleton_methods()

Define the permissions needed to define singleton methods within the sandbox

[Source]

# File lib/shikashi/privileges/singleton_methods.rb, line 24
    def allow_singleton_methods
      allow_method :singleton_method_added
      allow_method "core#define_singleton_method".to_sym
    end

allow_xstr()

Enables the permissions needed to execute system calls from the script

Example:

  s = Sandbox.new
  priv = Privileges.new

  priv.allow_xstr

  s.run(priv, '
    %x[ls -l]
  ')

Example 2:

  Sandbox.run('%x[ls -l]', Privileges.allow_xstr)

[Source]

# File lib/shikashi/privileges.rb, line 299
  def allow_xstr
    @xstr_allowed = true

    self
  end

const_read_allowed?(varname)

[Source]

# File lib/shikashi/privileges.rb, line 273
  def const_read_allowed?(varname)
    @allowed_read_consts.include? varname
  end

const_write_allowed?(varname)

[Source]

# File lib/shikashi/privileges.rb, line 277
  def const_write_allowed?(varname)
    @allowed_write_consts.include? varname
  end

global_read_allowed?(varname)

[Source]

# File lib/shikashi/privileges.rb, line 265
  def global_read_allowed?(varname)
    @allowed_read_globals.include? varname
  end

global_write_allowed?(varname)

[Source]

# File lib/shikashi/privileges.rb, line 269
  def global_write_allowed?(varname)
    @allowed_write_globals.include? varname
  end

instances_of(klass)

Specifies the methods allowed for the instances of a class

Example 1:

 privileges.instances_of(Array).allow :each # allow calls of methods named "each" over instances of Array

Example 2:

 privileges.instances_of(Array).allow :select, map # allow calls of methods named "each" and "map" over instances of Array

Example 3:

 privileges.instances_of(Hash).allow_all # allow any method call over instances of Hash

[Source]

# File lib/shikashi/privileges.rb, line 142
  def instances_of(klass)
    hash_entry(@allowed_instances, klass.object_id)
  end

methods_of(klass)

Specifies the methods allowed for an implementation in specific class

Example 1:

 privileges.methods_of(X).allow :foo

 ...
 class X
   def foo # allowed :)
   end
 end

 class Y < X
   def foo # disallowed
   end
 end

 X.new.foo # allowed
 Y.new.foo # disallowed: SecurityError
 ...

[Source]

# File lib/shikashi/privileges.rb, line 167
  def methods_of(klass)
    hash_entry(@allowed_klass_methods, klass.object_id)
  end

object(obj)

Specifies the methods allowed for an specific object

Example 1:

 privileges.object(Hash).allow :new

[Source]

# File lib/shikashi/privileges.rb, line 126
  def object(obj)
    hash_entry(@allowed_objects, obj.object_id)
  end

xstr_allowed?()

[Source]

# File lib/shikashi/privileges.rb, line 261
  def xstr_allowed?
    @xstr_allowed
  end

Methods

Classes and Modules

Public Class methods

Public Instance methods