Permalink
Browse files

Merge pull request #4 from witlessbird/1.9.3

updated to use latest version of ruby_parser, ruby2ruby, and sexp_processor
  • Loading branch information...
svenfuchs committed Nov 13, 2012
2 parents dc6b1b0 + 1e5370a commit ce2f69944ebd999bdd40c19c6bbbae1e5d1b9e07
View
11 Gemfile
@@ -1,15 +1,18 @@
source "http://rubygems.org"
-gem "ruby2ruby"
-gem "ruby_parser"
+gem 'sexp_processor', ">= 4.1.2"
+gem 'ruby2ruby', ">= 2.0.1"
+gem "ruby_parser", ">= 3.0.1"
# Add dependencies to develop your gem here.
# Include everything needed to run rake, tests, features, etc.
group :development do
gem "shoulda", ">= 0"
gem "rdoc", "~> 3.12"
- gem "bundler", "~> 1.0.0"
+ gem "bundler", "~> 1.0"
gem "jeweler", "~> 1.8.3"
- gem "rcov", ">= 0"
+ gem "rcov", :platforms => :ruby_18
+ gem "simplecov", :platforms => :ruby_19
+ gem "test-unit", :platforms => :ruby_19
gem "rake"
end
View
@@ -1,38 +1,52 @@
GEM
remote: http://rubygems.org/
specs:
+ activesupport (3.2.8)
+ i18n (~> 0.6)
+ multi_json (~> 1.0)
git (1.2.5)
- jeweler (1.8.3)
+ i18n (0.6.1)
+ jeweler (1.8.4)
bundler (~> 1.0)
git (>= 1.2.5)
rake
rdoc
- json (1.6.5)
+ json (1.7.5)
+ multi_json (1.3.6)
rake (0.9.2.2)
rcov (1.0.0)
rdoc (3.12)
json (~> 1.4)
- ruby2ruby (1.3.1)
- ruby_parser (~> 2.0)
- sexp_processor (~> 3.0)
- ruby_parser (2.3.1)
- sexp_processor (~> 3.0)
- sexp_processor (3.1.0)
- shoulda (3.0.1)
- shoulda-context (~> 1.0.0)
- shoulda-matchers (~> 1.0.0)
- shoulda-context (1.0.0)
- shoulda-matchers (1.0.0)
+ ruby2ruby (2.0.1)
+ ruby_parser (~> 3.0.0)
+ sexp_processor (~> 4.0)
+ ruby_parser (3.0.1)
+ sexp_processor (~> 4.1)
+ sexp_processor (4.1.2)
+ shoulda (3.3.2)
+ shoulda-context (~> 1.0.1)
+ shoulda-matchers (~> 1.4.1)
+ shoulda-context (1.0.1)
+ shoulda-matchers (1.4.1)
+ activesupport (>= 3.0.0)
+ simplecov (0.7.1)
+ multi_json (~> 1.0)
+ simplecov-html (~> 0.7.1)
+ simplecov-html (0.7.1)
+ test-unit (2.5.2)
PLATFORMS
ruby
DEPENDENCIES
- bundler (~> 1.0.0)
+ bundler (~> 1.0)
jeweler (~> 1.8.3)
rake
rcov
rdoc (~> 3.12)
- ruby2ruby
- ruby_parser
+ ruby2ruby (>= 2.0.1)
+ ruby_parser (>= 3.0.1)
+ sexp_processor (>= 4.1.2)
shoulda
+ simplecov
+ test-unit
View
@@ -46,12 +46,20 @@ Rake::TestTask.new(:test) do |test|
test.verbose = true
end
-require 'rcov/rcovtask'
-Rcov::RcovTask.new do |test|
- test.libs << 'test'
- test.pattern = 'test/**/test_*.rb'
- test.verbose = true
- test.rcov_opts << '--exclude "gems/*"'
+if RUBY_VERSION >= "1.9"
+ desc "Generate coverage report for tests"
+ task :coverage do |cov|
+ ENV['COVERAGE'] = 'true'
+ Rake::Task[:test].execute
+ end
+else
+ require 'rcov/rcovtask'
+ Rcov::RcovTask.new do |test|
+ test.libs << 'test'
+ test.pattern = 'test/**/test_*.rb'
+ test.verbose = true
+ test.rcov_opts << '--exclude "gems/*"'
+ end
end
task :default => :test
@@ -3,9 +3,9 @@ class Blankslate
@@allow_instance_methods = ['class', 'inspect', 'methods', 'respond_to?', 'to_s', 'instance_variable_get']
@@allow_class_methods = ['methods', 'new', 'name', 'inspect', '<', 'ancestors', '=='] # < needed in Rails Object#subclasses_of
- silently { undef_methods(*instance_methods - @@allow_instance_methods) }
+ silently { undef_methods(*instance_methods.map(&:to_s) - @@allow_instance_methods) }
class << self
- silently { undef_methods(*instance_methods - @@allow_class_methods) }
+ silently { undef_methods(*instance_methods.map(&:to_s) - @@allow_class_methods) }
def method_added(name) end # ActiveSupport needs this
@@ -22,7 +22,7 @@ def core_classes
end
def core_jail_methods(klass)
- @@methods_whitelist[klass.name] + (@@default_methods & klass.instance_methods)
+ @@methods_whitelist[klass.name] + (@@default_methods & klass.instance_methods.map(&:to_s))
end
end
@@ -67,7 +67,7 @@ def core_jail_methods(klass)
'String' => %w(blank? capitalize capitalize! casecmp center chomp chomp!
chop chop! concat count crypt delete delete! downcase
- downcase! dump each each_byte each_line empty? end_with? gsub
+ downcase! dump each_byte each_line empty? end_with? force_encoding gsub
gsub! hash hex include? index insert intern iseuc issjis
isutf8 kconv length ljust lstrip lstrip! match next next! oct
reverse reverse! rindex rjust rstrip rstrip! scan size slice
View
@@ -36,7 +36,7 @@ def process_call(exp)
receiver = jail process_call_receiver(exp)
name = exp.shift
args = process_call_args(exp)
- process_call_code(receiver, name, args)
+ process_call_code(receiver, name, args)
end
def process_fcall(exp)
@@ -79,16 +79,19 @@ def process_iasgn(exp)
:iasgn, # iasgn is sometimes allowed
# not sure about self ...
:self,
+ # :args is now used for block parameters
+ :args,
# unnecessarily advanced?
:argscat, :argspush, :splat, :block_pass,
:op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
# needed for haml
:block ]
disallowed = [ # :self, # self doesn't seem to be needed for vcalls?
- :const, :defn, :defs, :alias, :valias, :undef, :class, :attrset,
+ # see below for :const handling
+ :defn, :defs, :alias, :valias, :undef, :class, :attrset,
:module, :sclass, :colon2, :colon3,
- :fbody, :scope, :args, :block_arg, :postexe,
+ :fbody, :scope, :block_arg, :postexe,
:redo, :retry, :begin, :rescue, :resbody, :ensure,
:defined, :super, :zsuper, :return,
:dmethod, :bmethod, :to_ary, :svalue, :match,
@@ -102,11 +105,18 @@ def process_iasgn(exp)
# :ifunc, :method, :last, :opt_n, :cfunc, :newline, :alloca, :memo, :cref
disallowed.each do |name|
- define_method "process_#{name}" do
- code = super
+ define_method "process_#{name}" do |arg|
+ code = super(arg)
raise_security_error(name, code)
end
end
+
+ # handling of Encoding constants in ruby 1.9.
+ # Note: ruby_parser evaluates __ENCODING__ to :const Encoding::UTF_8
+ def process_const(arg)
+ raise_security_error("constant", super(arg)) unless (RUBY_VERSION >= "1.9" and arg.sexp_type.class == Encoding)
+ "Encoding::#{super(arg).gsub('-', '_')}"
+ end
def raise_security_error(type, info)
raise Safemode::SecurityError.new(type, info)
@@ -124,14 +134,17 @@ def process_call_receiver(exp)
end
def process_call_args(exp)
- args_exp = exp.shift rescue nil
- if args_exp && args_exp.first == :array # FIX
- args = "#{process(args_exp)[1..-2]}"
- else
- args = process args_exp
- args = nil if args.empty?
+ args = []
+ while not exp.empty? do
+ args_exp = exp.shift
+ if args_exp && args_exp.first == :array # FIX
+ processed = "#{process(args_exp)[1..-2]}"
+ else
+ processed = process args_exp
+ end
+ args << processed unless (processed.nil? or processed.empty?)
end
- args
+ args.empty? ? nil : args.join(", ")
end
def process_call_code(receiver, name, args)
View
@@ -29,10 +29,10 @@ def print(*args)
def output
@_safemode_output
end
-
+
def method_missing(method, *args, &block)
if @locals.has_key?(method)
- @locals[method]
+ @locals[method]
elsif @delegate_methods.include?(method)
@delegate.send method, *unjail_args(args), &block
else
@@ -54,5 +54,5 @@ def unjail_args(args)
arg.class.name =~ /::Jail$/ ? arg.instance_variable_get(:@source) : arg
end
end
- end
+ end
end
View
@@ -5,11 +5,11 @@
Gem::Specification.new do |s|
s.name = "safemode"
- s.version = "1.0.1"
+ s.version = "1.0.2"
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
s.authors = ["Sven Fuchs", "Peter Cooper", "Matthias Viehweger", "Kingsley Hendrickse", "Ohad Levy"]
- s.date = "2012-03-16"
+ s.date = "2012-10-24"
s.description = "A library for safe evaluation of Ruby code based on RubyParser and Ruby2Ruby. Provides Rails ActionView template handlers for ERB and Haml."
s.email = "ohadlevy@gmail.com"
s.extra_rdoc_files = [
@@ -56,31 +56,34 @@ Gem::Specification.new do |s|
s.specification_version = 3
if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
- s.add_runtime_dependency(%q<ruby2ruby>, [">= 0"])
- s.add_runtime_dependency(%q<ruby_parser>, [">= 0"])
+ s.add_runtime_dependency(%q<ruby2ruby>, [">= 2.0.0.b1"])
+ s.add_runtime_dependency(%q<ruby_parser>, [">= 3.0.0.a9"])
s.add_development_dependency(%q<shoulda>, [">= 0"])
s.add_development_dependency(%q<rdoc>, ["~> 3.12"])
s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
s.add_development_dependency(%q<jeweler>, ["~> 1.8.3"])
s.add_development_dependency(%q<rcov>, [">= 0"])
+ s.add_development_dependency(%q<simplecov>, [">= 0"])
s.add_development_dependency(%q<rake>, [">= 0"])
else
- s.add_dependency(%q<ruby2ruby>, [">= 0"])
- s.add_dependency(%q<ruby_parser>, [">= 0"])
+ s.add_dependency(%q<ruby2ruby>, [">= 2.0.0.b1"])
+ s.add_dependency(%q<ruby_parser>, [">= 3.0.0.a9"])
s.add_dependency(%q<shoulda>, [">= 0"])
s.add_dependency(%q<rdoc>, ["~> 3.12"])
s.add_dependency(%q<bundler>, ["~> 1.0.0"])
s.add_dependency(%q<jeweler>, ["~> 1.8.3"])
+ s.add_dependency(%q<simplecov>, [">= 0"])
s.add_dependency(%q<rcov>, [">= 0"])
s.add_dependency(%q<rake>, [">= 0"])
end
else
- s.add_dependency(%q<ruby2ruby>, [">= 0"])
- s.add_dependency(%q<ruby_parser>, [">= 0"])
+ s.add_dependency(%q<ruby2ruby>, [">= 2.0.0.b1"])
+ s.add_dependency(%q<ruby_parser>, [">= 3.0.0.a9"])
s.add_dependency(%q<shoulda>, [">= 0"])
s.add_dependency(%q<rdoc>, ["~> 3.12"])
s.add_dependency(%q<bundler>, ["~> 1.0.0"])
s.add_dependency(%q<jeweler>, ["~> 1.8.3"])
+ s.add_dependency(%q<simplecov>, [">= 0"])
s.add_dependency(%q<rcov>, [">= 0"])
s.add_dependency(%q<rake>, [">= 0"])
end
View
@@ -73,4 +73,4 @@ def test_calling_#{call.gsub(/[\W]/, '_')}_should_raise_security
)
end
-end
+end
View
@@ -1,3 +1,8 @@
+if RUBY_VERSION >= '1.9'and ENV['COVERAGE']
+ require 'simplecov'
+ SimpleCov.start {add_filter 'test_'}
+end
+
$LOAD_PATH << File.join(File.dirname(__FILE__), '..', 'lib')
require 'rubygems'
@@ -96,6 +101,10 @@ def to_jail
def comments
[Comment.new(self), Comment.new(self)]
end
+
+ def method_missing(method, *args, &block)
+ super(method, *args, &block)
+ end
end
class Comment
View
@@ -21,7 +21,7 @@ def test_sending_to_jail_to_an_object_should_return_a_jail
def test_jail_instances_should_have_limited_methods
expected = ["class", "inspect", "method_missing", "methods", "respond_to?", "to_jail", "to_s", "instance_variable_get"]
objects.each do |object|
- assert_equal expected.sort, reject_pretty_methods(object.to_jail.methods.sort)
+ assert_equal expected.sort, reject_pretty_methods(object.to_jail.methods.map(&:to_s).sort)
end
end
@@ -32,7 +32,7 @@ def test_jail_classes_should_have_limited_methods
"ancestors", "==" # ancestors and == needed in Rails::Generator::Spec#lookup_class
]
objects.each do |object|
- assert_equal expected.sort, reject_pretty_methods(object.to_jail.class.methods.sort)
+ assert_equal expected.sort, reject_pretty_methods(object.to_jail.class.methods.map(&:to_s).sort)
end
end
@@ -28,7 +28,7 @@ def test_should_allow_method_access_on_assigns
end
def test_should_allow_method_access_on_locals
- assert_nothing_raised{ @box.eval "article.title", {}, @locals }
+ assert_nothing_raised{ @box.eval("article.title", {}, @locals) }
end
def test_should_not_raise_on_if_using_return_values

0 comments on commit ce2f699

Please sign in to comment.