Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Created Sandboxing Ruby: The Good, the Bad, and the Fugly (markdown)

  • Loading branch information...
commit cda4cb9d18fdc0e9c34b6b9b9cc7bc2ea5852887 1 parent 47e4a24
@dscataglini dscataglini authored
Showing with 25 additions and 0 deletions.
  1. +25 −0 Sandboxing-Ruby:-The-Good,-the-Bad,-and-the-Fugly.md
View
25 Sandboxing-Ruby:-The-Good,-the-Bad,-and-the-Fugly.md
@@ -0,0 +1,25 @@
+## Motivation
+We launched rails for zombies and we let people run code on heroku. Our initial method for sandboxing was regex based.
+Zedshaw took us down quickly with a 1 liner. We then had to learn more about sandboxing.
+
+### $SAFE
+Using $SAFE global, unfortunately rails doesn't work with any level higher than 0
+
+### rubycop
+looks at the ast
+
+### jail/jruby_sandbox
+isolates Namespaces
+create a sandbox evaluate a sandbox
+Blocks dangerous operations with Sandbox.safe
+Protects secrets
+Limits resource utilization
+sandboxeval %{while;true;end}, timeout: 5 #
+Can give sandbox "capabilitites
+sandbox.ref(Foo)
+foo = sandbox.eval('Foo.new')
+foo.bar
+
+please go to http://sandboxbreaker3000.heroku.com and try to break it.
+
+
Please sign in to comment.
Something went wrong with that request. Please try again.