HI, I have a requirement where a user could enter ruby scripts in the view( typically a text area) and the controller should pick this text on submit and execute the script(content of text area) line by line. How should I do it in rails? Thanks, Sudhi -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 21 Feb 2009, at 12:37, Sudhi Kulkarni wrote:> > HI, > I have a requirement where a user could enter ruby scripts in the > view( > typically a text area) and the controller should pick this text on > submit and execute the script(content of text area) line by line. > > How should I do it in rails?Well you could just use eval, but that sounds like an incredibly bad idea security wise. Fred> > > Thanks, > Sudhi > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung wrote:> On 21 Feb 2009, at 12:37, Sudhi Kulkarni wrote: > >> >> HI, >> I have a requirement where a user could enter ruby scripts in the >> view( >> typically a text area) and the controller should pick this text on >> submit and execute the script(content of text area) line by line. >> >> How should I do it in rails? > > Well you could just use eval, but that sounds like an incredibly bad > idea security wise. > > FredI did try ''eval @test.script'' where the script was filled in the @test.script but that does not work. Is there a safe way of handling execution errors that can occur when executing scripts -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Feb 21, 8:31 am, Sudhi Kulkarni <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Frederick Cheung wrote: > > On 21 Feb 2009, at 12:37, Sudhi Kulkarni wrote: > > >> HI, > >> I have a requirement where a user could enter ruby scripts in the > >> view( > >> typically a text area) and the controller should pick this text on > >> submit and execute the script(content of text area) line by line. > > >> How should I do it in rails? > > > Well you could just use eval, but that sounds like an incredibly bad > > idea security wise. > > > Fred > > I did try ''eval @test.script'' where the script was filled in the > @test.script but that does not work. Is there a safe way of handling > execution errors that can occur when executing scripts > --+1 to Fred''s comment about security - there are some solutions that can mitigate the security problems, but eval''ing code sent from the web is a BAD IDEA. If you have *any* user access control in your system, this can get around it. There are a couple things you might be interested in: - _why''s Sandbox class. It''s mostly a proof of concept, but it might have some ideas. Note that while it can keep some bad things from happening, you''ll still need to give the sandboxed code access to the DB (that is why you''re evaling Ruby from the web, right?) - at the very least, some kind of usage of $SAFE, which could protect your environment a little. But then you''ve got threading problems... - if you just want a console-like environment, Kawaii (http:// github.com/eviltrout/kawaii) might save you from re-inventing the wheel. Finally, to answer your actual question, you''d use a rescue clause to catch execution errors. Check your favorite Ruby reference for more details. --Matt Jones --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Feb 21, 6:51 pm, Matt Jones <al2o...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> +1 to Fred''s comment about security - there are some solutions that > can mitigate > the security problems, but eval''ing code sent from the web is a BAD > IDEA. If you > have *any* user access control in your system, this can get around it. > > There are a couple things you might be interested in:One thing I''ve been thinking recently is that jruby might be neat for this, assuming you can just lean on Java''s security stuff (no idea if you can). Fred> > - _why''s Sandbox class. It''s mostly a proof of concept, but it might > have some ideas. > Note that while it can keep some bad things from happening, you''ll > still need to give > the sandboxed code access to the DB (that is why you''re evaling Ruby > from the web, right?) > > - at the very least, some kind of usage of $SAFE, which could protect > your environment > a little. But then you''ve got threading problems... > > - if you just want a console-like environment, Kawaii (http:// > github.com/eviltrout/kawaii) might > save you from re-inventing the wheel. > > Finally, to answer your actual question, you''d use a rescue clause to > catch execution errors. > Check your favorite Ruby reference for more details. > > --Matt Jones--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Frederick Cheung wrote:> On Feb 21, 6:51�pm, Matt Jones <al2o...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >> +1 to Fred''s comment about security - there are some solutions that >> can mitigate >> the security problems, but eval''ing code sent from the web is a BAD >> IDEA. If you >> have *any* user access control in your system, this can get around it. >> >> There are a couple things you might be interested in: > > One thing I''ve been thinking recently is that jruby might be neat for > this, assuming you can just lean on Java''s security stuff (no idea if > you can). > > FredThanks for the inputs. Yes, there could be some security implications with this but is there a neat way of say providing a tool which povides the user a way to control script execution on the server? Also the flexibility of ordering scripts is important, that is why a full fledged ruby editor is required on the browser. Is there any view plugin which can accept ruby scripts? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---