Hi, I''m currently hosting IronRuby within a C# Application. Is there any way to validate the IronRuby scripts that will be invoked by the DLR? For example I''d like to prevent users from executing scripts that include the "require" statement or an impersonation statement... Any ideas? thx Thorsten -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/ironruby-core/attachments/20100812/0df6e3cb/attachment.html>
Regex and filter it. I don''t think the DLR has a sandbox mechanism for this. On Thu, Aug 12, 2010 at 12:57 PM, Thorsten Hans <thorsten.hans at gmail.com>wrote:> Hi, > > I''m currently hosting IronRuby within a C# Application. Is there any way to > validate the IronRuby scripts that will be invoked by the DLR? > > For example I''d like to prevent users from executing scripts that include > the "require" statement or an impersonation statement... > > Any ideas? > > > thx > > Thorsten > > _______________________________________________ > Ironruby-core mailing list > Ironruby-core at rubyforge.org > http://rubyforge.org/mailman/listinfo/ironruby-core > >-- nomadlife.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/ironruby-core/attachments/20100812/fadb4566/attachment.html>
We have a sandboxing mechanism - we rely on CLR''s AppDomains:
http://blogs.msdn.com/b/shawnfa/archive/2005/08/08/449050.aspx
You can use this API in conjunction with ScriptRuntime.CreateRemote(appDomain,
setup) DLR Hosting API.
I wouldn''t even try to do any source code analysis to ensure security
rules if I were you. You''d be doomed to failure. For example, consider
this script
string my_script = @"x, y = ''u'', ''b'';
eval(\"req#{x}uire #{y}ad_script\")"
how do you analyze that? (Not that it would be completely impossible to do so in
this particular case, but you get the point.)
Tomas
From: ironruby-core-bounces at rubyforge.org [mailto:ironruby-core-bounces at
rubyforge.org] On Behalf Of Dody Gunawinata
Sent: Thursday, August 12, 2010 3:17 AM
To: ironruby-core at rubyforge.org
Subject: Re: [Ironruby-core] Script Validation
Regex and filter it. I don''t think the DLR has a sandbox mechanism for
this.
On Thu, Aug 12, 2010 at 12:57 PM, Thorsten Hans <thorsten.hans at
gmail.com<mailto:thorsten.hans at gmail.com>> wrote:
Hi,
I''m currently hosting IronRuby within a C# Application. Is there any
way to validate the IronRuby scripts that will be invoked by the DLR?
For example I''d like to prevent users from executing scripts that
include the "require" statement or an impersonation statement...
Any ideas?
thx
Thorsten
_______________________________________________
Ironruby-core mailing list
Ironruby-core at rubyforge.org<mailto:Ironruby-core at rubyforge.org>
http://rubyforge.org/mailman/listinfo/ironruby-core
--
nomadlife.org<http://nomadlife.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://rubyforge.org/pipermail/ironruby-core/attachments/20100812/749ea002/attachment.html>
I just recently had the same question in mind - how could one sandbox IronRuby? I''d imagine that .NET''s built-in security model could be used to prevent the app from accessing the file system, P/Invoking, etc; however, I don''t know if the security model is fine grained enough to apply to just a particular AppDomain. If it it is, then you could probably use IronRuby''s built-in method for running scripts in another AppDomain - one that''s locked down. I''m sort of ignorant in this area though, so I can''t really help that much. Hopefully someone smarter than myself will chime in. -Charles On Thu, Aug 12, 2010 at 4:57 AM, Thorsten Hans <thorsten.hans at gmail.com>wrote:> Hi, > > I''m currently hosting IronRuby within a C# Application. Is there any way to > validate the IronRuby scripts that will be invoked by the DLR? > > For example I''d like to prevent users from executing scripts that include > the "require" statement or an impersonation statement... > > Any ideas? > > > thx > > Thorsten > > _______________________________________________ > Ironruby-core mailing list > Ironruby-core at rubyforge.org > http://rubyforge.org/mailman/listinfo/ironruby-core > >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/ironruby-core/attachments/20100812/abe78e58/attachment.html>