Skip to content

joegoggins/jruby-sandbox

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits
ext/java/sandbox
ext/java/sandbox
 
 
lib
lib
 
 
spec
spec
 
 
.gitignore
.gitignore
 
 
.rvmrc
.rvmrc
 
 
Gemfile
Gemfile
 
 
Gemfile.lock
Gemfile.lock
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 
jruby_sandbox.gemspec
jruby_sandbox.gemspec
 
 

Repository files navigation

JRuby Sandbox

The JRuby sandbox is a reimplementation of _why's freaky freaky sandbox in JRuby, and is heavily based on javasand by Ola Bini, but updated for JRuby 1.6.

Prerequisites

This gem requires JRuby 1.6. As of the time of this writing, it is known to work with the latest stable version of JRuby, 1.6.3. You can install it via RVM with the following command:

rvm install jruby-1.6.3

Install and usage via Rubygems

gem install jruby_sandbox

Basic Usage

Sandbox gives you a self-contained JRuby interpreter in which to eval code without polluting the host environment.

$  irb
>> require 'rubygems'
>> require "sandbox"
>> sand = Sandbox::Full.new
=> #<Sandbox::Full:0x46377e2a>
>> sand.eval("x = 1 + 2")
=> 3
>> sand.eval("x")
=> 3
>> x
NameError: undefined local variable or method `x' for #<Object:0x11cdc190>

There's also Sandbox::Full#require, which lets you invoke Kernel#require directly for the sandbox, so you can load any trusted core libraries. Note that this is a direct binding to Kernel#require, so it will only load ruby stdlib libraries (i.e. no rubygems support yet).

Sandbox::Safe usage

Sandbox::Safe exposes an #activate! method which will lock down the sandbox, removing unsafe methods. Before calling #activate!, Sandbox::Safe is the same as Sandbox::Full.

$  irb
>> require 'rubygems'
>> require "sandbox"
>> sand = Sandbox.safe
=> #<Sandbox::Safe:0x17072b90> 
>> sand.eval %{`echo HELLO`}
=> "HELLO\n" 
>> sand.activate! 
>> sand.eval %{`echo HELLO`}
Sandbox::SandboxException: NoMethodError: undefined method ``' for main:Object

Sandbox::Safe works by whitelisting methods to keep, and removing the rest. Checkout sandbox.rb for which methods are kept.

Sandbox::Safe.activate! will also isolate the sandbox environment from the filesystem using FakeFS.

 $  irb
 >> require 'rubygems'
 >> require 'sandbox'
 >> s = Sandbox.safe
 => #<Sandbox::Safe:0x3fdb8a73> 
 >> s.eval('Dir["/"]')
 => ["/"] 
 >> s.eval('Dir["/*"]')
 => ["/Applications", "/bin", "/cores", "/dev", etc.] 
 > s.activate!
 >> s.eval('Dir["/*"]')
 => [] 
 > Dir['/*']
 => ["/Applications", "/bin", "/cores", "/dev", etc.]

Building (when using via git clone rather than gem)

To build the JRuby extension, run rake compile. This will build the lib/sandbox/sandbox.jar file, which lib/sandbox.rb loads.

Known Issues / TODOs

  • There is currently no timeout support, so it's possible for a sandbox to loop indefinitely and block the host interpreter.

About

JRuby VM sandboxes

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Ruby 54.7%
  • Java 40.8%
  • Shell 4.5%