Allow end user to enter ruby code that I execute -


i working on rails app , there 2 important models, being reminder , matcher.

class reminder < activerecord::base end

reminders allow user set own schedule something, have text field called "condition" , allow them enter own ruby code.

for example can enter:

date.today.friday?

if want reminder every friday. have done allow ultimate flexibility in way users can create own reminders.

then have scheduled cron task, loops through of reminders , checks condition , actions them, in:

for reminder in reminder.all   if eval(reminder.condition)     #   end end

the other use case method there use conditions in matcher model, , harder 1 explain allow user access associated model data in condition, example condition might be:

@matcher.parent.name == "father" && @matcher.parent.children.count < 10

i know it's scary eval user has input, doing validation on model prevent few "nasty" words "delete, destroy, etc". have build small inplace code editor menu's insert code ace editor.

i love way works allows user ultimate flexibility.

how implemented without using eval?

you cannot trust user input. blocking words not block more imaginative techniques send["d-e-s-t-r-o-y".split('-').join('')] or worse.

an improvement can make, if want it, eval remotely within hardened virtual machine on different user account , verify output of stdout of command matches date format. people can around if allow code execution.

for more powerful code should writing dsl of explicit things want allow. whitelist more secure blacklist because nobody smart enough beat rest of world's imagination combined.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more