The JRuby sandbox is a reimplementation of _why's freaky freaky sandbox in JRuby, and is heavily based on javasand by Ola Bini, but updated for JRuby 1.6.
This gem requires JRuby 1.6. You can install it with RVM:
rvm install jruby-1.6.1
To build the JRuby extension, run
rake compile. This will build the
lib/sandbox/sandbox.jar file, which
Sandbox gives you a self-contained JRuby interpreter in which to eval code without polluting the host environment.
>> require "sandbox" => true >> sand = Sandbox::Full.new => #<Sandbox::Full:0x46377e2a> >> sand.eval("x = 1 + 2") => 3 >> sand.eval("x") => 3 >> x NameError: undefined local variable or method `x' for #<Object:0x11cdc190>
Sandbox::Full#require, which lets you invoke
Kernel#require directly for the sandbox, so you can load any trusted
core libraries. Note that this is a direct binding to
so it will only load ruby stdlib libraries (i.e. no rubygems support
Known Issues / TODOs
Sandbox::Safeis currently just an alias for
Sandbox::Full. The plan is to make it extend from
Sandbox::Fulland lock down the environment (using
#keep_methods) in its initializer.
- It would be a good idea to integrate something like FakeFS to stub out the filesystem in the sandbox.
- There is currently no timeout support, so it's possible for a sandbox to loop indefinitely and block the host interpreter.