This repository has been archived by the owner. It is now read-only.

Sandboxing Ruby: The Good, the Bad, and the Fugly

dscataglini edited this page Oct 1, 2011 · 1 revision

Motivation

We launched rails for zombies and we let people run code on heroku. Our initial method for sandboxing was regex based. Zedshaw took us down quickly with a 1 liner. We then had to learn more about sandboxing.

$SAFE

Using $SAFE global, unfortunately rails doesn't work with any level higher than 0

rubycop

looks at the ast

jail/jruby_sandbox

isolates Namespaces create a sandbox evaluate a sandbox Blocks dangerous operations with Sandbox.safe Protects secrets Limits resource utilization sandboxeval %{while;true;end}, timeout: 5 # Can give sandbox "capabilitites sandbox.ref(Foo) foo = sandbox.eval('Foo.new') foo.bar

please go to http://sandboxbreaker3000.heroku.com and try to break it.

A crowd-sourced conference wiki!
Working together is better. :)




Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.