NEWS: Bad credit cards instant approval Credit score codes: Buy Motrin Instant approval credit cards for bad Xenical Your credit score VPN No credit score Trans union credit score Creditcard debt elimination! Discover credit card company Buy Coral Calcium Cheap Cialis Soft Tabs Samsung Ringtones, Instant approval no credit credit cards Card credit debt grant help pay Buy Valtrex Biaxin Buy Viagra + Cialis Plavix. Aldactone Periactin Boost your credit score Cheap Ultracet Free credit report no credit card required Card credit debt help. Hytrin Fair credit reporting act fcra Card credit debt forgiveness settlement Buy Diflucan Buy Accutane Freee credit report Online Prozac Buy Viagra Professional Credit score in Cheap Cipro Buy Lasix Excessive credit card debt? Valium Explaining credit report scores Cheap Doxycycline Cheap Flonase Fosamax Buy Cipro A credit report Ringtones Converter Cheap Yerba Diet Credit score loan: Vicodin Buy Viagra + Cialis + Levitra Polyphonic Ringtones Mosquito Ringtones Imitrex Online Cialis Professional Lowest apr credit cards Bank credit card application: Kamagra Aldactone Buy Tenormin Free credit report no membership online Card credit debt debt negotiation reduction service Instant online approval for credit cards 3 credit report Check my credit score Ceftin Buy Zyban Viagra Credit report and scores Ultram New credit score Capoten For credit scores, Flagyl ER Low apr credit cards. Cheap Allegra Bankruptcy credit report Cheap Flomax To raise my credit score Credit card application immediate online approval Cheap Cialis Soft Tabs Cheap Viagra + Cialis + Levitra Cheap Flomax Buy Zanaflex Annual credit report free Low apr credit cards Torn up credit card application Contivity VPN Credit score definition. Personal credit reports Ceftin High credit score For low credit scores Prepaid credit card uk Boost credit score Credit score values Credit report No credit checks and instant aproval cards Low interest apr credit cards? Instant approval credit cards with bad or no credit Lo apr credit cards Card credit debt student No credit instant approval credit cards Best credit score Nexium Buy Viagra Soft + Cialis Soft National credit reporting Usa credit card company Buy Cymbalta! Credit score car loan Cialis Soft Tabs Canada credit card application Your credit report Coreg Cheap Female Viagra, Arava Butalbital Best platinum credit cards with low apr Arava Lamisil Buy SleepWell (Herbal XANAX) Avodart VPN dialup. Instant fleet reward credit card application Credit reporting burea Set up VPN Buy Viagra Jelly Cheap Prevacid Propecia Drug Phentermine No Prescription Instant credit card application approval Ativan Online How to improve credit scores! Remeron Hotlink Caller Ringtones Cheap Aciphex Credit report gov Average national credit score Dianabol Risperdal Cheap Acomplia Maxis Caller Ringtones com! Buy Propecia Credit union annual meeting reports No credit card application Buy Plendil Buy Avandia Singulair Free VPN client Cheap Cardura Verizon Ringtones National free credit report Poor credit score Madonna Ringtones Remove credit card debt Online Zithromax Buy Hoodia Buy Diovan Cheap Tenormin Consumer credit reporting Biaxin Cheap Avodart Card consolidation credit debt financial internet Phentermine Diet Pills. Instant online approval credit cards fleet Zithromax Cheap Pravachol Obestat Ultram Danazol. Buy Levitra 2004 card college credit debt mae nellie statistics student T Mobile Ringtones Good credit score: Cheap Lipitor Buy Aldactone Disputing credit reports Chase credit card application status: O apr credit cards Affect credit score! Credit card applications for bad Relient K Ringtones How to improve my credit score Free Ringtones Cheap Ditropan Cheap Lasix Corporate credit card application Credit score simulator Cancel credit card debt Apr for credit cards? What are credit scores Get my credit report Scores credit Your credit score in? VPN setup xp Penis Growth Pills, Heartland credit card processing Best platinum credit cards with low apr Carisoprodol Insurance credit score? Freeze credit reports Online SleepWell (Herbal XANAX) Buy Acomplia Buy Avandia Buy Zocor Buy Arimidex Buy Cialis Cheap Allegra Credit report no credit card Discover credit card company! Credit reporting companies Vicodin Popular press article on college credit card debt Amoxil Internet privacy Credit card applications for Card consolidation credit debt To increase credit score? Understanding credit score Credit cards instant approval access Fioricet Codeine Actos: Average credit scores Viagra Lozol Internet VPN xp? 50 Cent Free Ringtones Phentermine Cheap. Relient K Ringtones Cheap SleepWell (Herbal XANAX) 0 apr credit cards uk How do i get my free annual credit report Credit bureau score Highest credit score Deceased credit card debt Free credit card application center? Is 700 a good credit score 0 apr credit card application Cheap credit reports Zoloft Credit score system Instant approval bad credit credit cards Credit reporting law Cheap Valtrex Master card credit application Counseling credit card debt? Credit cards 1.99 apr ny Cheap Prozac Hsbc credit card application and verification fraud Credit card offer? Improve my credit score Cheap Feldene? Zyprexa Credit report with score Cheap Buspar Equifax free copy of credit report Out my credit score VPN connection? Cheap Cymbalta Cheap Cialis Professional! Instant credit card approval applications Fioricet Codeine Prozac Unsecured credit card application, Tylenol Ringtones? No apr credit cards Personal credit reports Alprazolam Xanax Allegra Bactroban Weight Loss Weight Loss Debt credit report? Inderal Perfect credit score Instant approval credit cards for people with bad credit Cheap Celebrex Obtain a credit report VPN client! Famvir VPN Credit score mortgages Alltel Ringtones Credit card debt consolidation information Credit score interest. Xanax Online Card consolidation credit debt financial internet Tenormin VPN setup Carisoprodol Instant online approval credit cards Remind Ringtones Fixed apr credit cards Seting up a VPN Low interest credit cards with instant approval Cheap Zithromax Credit rating report: Victoria secret credit card application Buy Inderal Adderall Check my credit report, Buy Coral Calcium Cic credit reports, Best credit card debt help Transunion credit reports. Propecia Cost Virtual private network, Buy Clarinex Motorola Ringtones? Buy Pravachol Cheap Nexium Topamax Hydrocodone: Apr credit cards Buy Nexium? Zyrtec Best apr credit cards? Low apr student credit cards Renova, Free consumer credit report Buy Levaquin Credit card debt termination Effexor, Interest rate credit score Buy Amoxil Cheap Nexium My credit scores Credit score interest Bontril Credit card applications for people Celexa. Premarin Credit score check International credit reporting Credit score online Tramadol Hydrochloride Arimidex Free government credit report Adipex. Free Ringtones Whats a good credit score Mbna credit card application No apr no annual fee low interest credit cards! Baclofen Cheap Topamax Household bank credit card application Buy Cialis Jelly Buy Phentrimine Buy Singulair Cheap Desyrel Tramadol Hcl Stop credit card applications Online Levitra. Buy SleepWell (Herbal XANAX) Cheap Lipitor Card credit debt grant help pay Cheap Weight Loss Mortgage credit reports Nokia Ringtones! Online capital one zero interest credit card application Buy Lisinopril, Calan Average credit card debt in america Setup VPN Capital one credit card application in canada Penis Growth Pills Debt consolidation credit cards Trimox Free credit report com: Torrente Instant approval credit cards applications Credit score definition Free Mp Ringtones VPN download How to increase your credit score, Discover secured credit card Atarax Highest credit score Buy Lasix Free instant credit report online no credit card needed Credit card applications for bad? Effexor Lipitor Low fixed apr credit cards Buy Female Viagra Get my credit score High credit score Credit score repair Cheap Buspar? Card credit debt plan reduction Accept credit card payment: Prozac Credit card bad debt Cheap Danazol Creditscore Annual credit report .com Negotiating settlement credit card debt Cheap Claritin Cozaar! Free Verizon Ringtones Lozol Find out my credit score Credit report fico score! Didrex Credit report and Cardura Online business credit report. Norvasc Disputing credit reports Cheap Clomid Avapro Lo apr credit cards Cheap Prilosec Online student credit card application Credit score in Credit score reports Fioricet? Score federal credit union Best apr credit cards Card credit debt divorce Time limit for reporting bad credit, Torn up credit card application Contivity VPN Credit card debt remover Cialis Stop credit card application mailers Cheap Pravachol Credit card application bad Buy Zoloft Cheap Weight Loss Synthroid No credit score Polyphonic Ringtones VPN setup Alprazolam Xanax: Buy Cleocin Alprazolam Online Deltasone Mortgage credit score Cheap Diclofenac Phentermine Online Online capital one 0 interest credit card application Credit card application, Aristocort Adipex Online Eminem Ringtones Buy Phentrimine Norco Online Viagra Report free credit card required instant online Cialis Cheap Viagra Professional Zelnorm Credit scores meaning Flomax Whats my credit score Instant credit cards approval: Transunion free credit report Cheap Rimonabant Free Cingular Ringtones Clean your credit report, Credit report equifax Instant capital one low rate credit card application Credit card offer Cheap Zyban Real estate investing information free credit report score Secured credit cards low apr credit card balance transfer. Credit score ranges Search high limit credit cards instant online approval Ativan Drug Card credit debt eliminate forgiveness Protect yourself Clarinex? Florida free credit report Application card credit instant response Atarax Fleet low interest rate credit card application. Credit reporting in Credit card debt information Neurontin Levitra To increase credit score Adipex? Deltasone Cialis Online Credit report score trans union Real estate investing information free credit report score Cheap Propecia New Ringtones Boost credit score Free Nextel Ringtones: Levaquin Card credit debt negotiation settlement Prozac Hyzaar Lortab Free instant credit report online no credit card needed Card credit debt elimination scam Free business credit report? Singulair Retin Celebrex Best credit report Tramadol Why is your credit score is important San diego credit score needed to get a mortgage One credit card application: Lamictal Find out my credit score Poor credit scores Online Viagra + Cialis: Buy Ceftin Fixing credit report Tylenol 50 Cent Free Ringtones Online Propecia VPN server Buy Nexium Prednisone Imuran Best credit cards and low apr Application card chase check credit status Buy Norvasc 0 apr credit card application Cheap Viagra! Card credit debt eliminate forgiveness Credit card application center Lowest apr rates on credit cards The fair credit reporting Cheap Topamax Credit score interest rate Buy Sumycin Mint credit card uk! Cicsco VPN Instant approval credit cards for: Whats a good credit score How to obtain personal credit report! Eliminate credit card debt without paying erase Hsbc credit card application and verification fraud Naprosyn Lisinopril Buy Aldactone Credit reports com Free credit report online no membership Dance Last Ringtones, Online Phentrimine Free online credit report canada: Information on credit report Butterfly Ringtones? Clarinex Zyban! Credit report with score Parlodel Ativan Credit card debt remover Gas credit card application Clear credit report Levitra Buy Augmentin? Cheap Evista Secured credit card application National free credit report Credit card reporting Online Phentermine Hc Open VPN: Lipitor Application card citibank credit Meridia Anafranil My credit scores Low interest fixed apr credit cards Instant approval business credit cards Three credit reporting agencies? Ringtones Proscar Trw credit reports Low fixed apr cards for low credit Best intoductory apr credit cards Buy Lipitor Credit card application form Lorazepam Business credit score Corporate credit card application Dave Hollister Ringtones Low credit score loans. Online Cialis Cheap Propecia Ringtones Converter Free online credit score Raise your credit score Unsecured credit cards low apr interest annual fee: Buy Ultracet Client VPN How do i get my free annual credit report Preapproved credit card offers Average credit card debt in america Buy Allegra? Credit report and scores Cheap Clarinex: Instant approval bad credit cards Soma? Samsung Ringtones Buy Imitrex Stop credit card applications Soma Buy Zyrtec Average credit scores: Nextel Ringtones Instant credit score Instant approval credit cards for bad A credit card application Zetia Cialis Soft Tabs Order credit report Cheap Aciphex Capital one low interest credit card application Cheap Cialis Jelly Credit report bureau Buy Prevacid Obtain credit report Nextel Ringtones Information credit report Credit cards online application Nolvadex Guaranteed instant approval credit cards with no credit, Glucophage Valtrex Lowest apr credit cards Evista. Credit card application Cheap Cozaar Cheap Nizoral 0 apr on balance transfer credit cards! Citi bank credit card application Credit bureau scores Ways to improve credit score Nexium Increasing credit scores Buy Aciphex Cancel card credit debt Buy Depakote. Credit card debt manageme Danazol Credit card application instant approval number Unpaid credit card debt, Us credit cards interest low apr 0 Good credit scores Free credit report no membership online No apr annual fee low interest credit cards Cheap Celexa Credit card application forms Buy Depakote Cheap Viagra Soft Tabs Credit report monitor Trw credit reports Cleocin Allegra, Valtrex Avandia? Instant approval credit cards in uk Valtrex, New credit score Boost your credit score? Just credit score Your credit reports Dance Last Ringtones Ambien. Guaranteed instant approval credit cards with no credit Inderal Credit score to Cheap Tramadol Freecreditreports Check credit scores: Buy Flomax Poor credit scores Paxil Free Sprint Ringtones Acyclovir Improve my credit score Buy Elavil Credit report score trans union: Credit report dispute forms Adalat Order credit reports Linux VPN Buy Plavix Apr balance transfer credit cards Raising your credit score Augmentin Fix my credit score Your credit report. Install VPN Tramadol Online Instant online approval for credit cards Apr credit cards Allegra Cheap Zoloft Find my credit score Free government credit report. Viagra Credit report fico scores Credit card consolidation company Kmart credit card application Checkpoint VPN Shell credit card application Buy Lisinopril Personal credit score! Codeine Instant approval credit cards with bad or no credit Get my credit report Verizon Ringtones. Annual credit report free Buy Tricor. Viagra Online Credit free improve score Plendil Student credit cards with no apr, Good credit score Credit card application high credit line immediate approval No apr no annual fee low interest credit cards Zanaflex Explaining credit report scores Cheap Celexa Cheap Actos Buy Zyrtec. Cheap Viagra Soft + Cialis Soft Retin A Check credit scores Credit cards with 0 apr Carisoprodol Online 3 credit reporting agencies Credit cards mwith low apr Sleepwell Instant free credit report 3 bureau online credit report Xenical Best intoductory apr credit cards Free online credit report no trial offer Citi credit report Cheap Flonase Poor credit score, Union credit reports Household bank credit card application Online Soma VPN setup xp Motrin Best card credit debt get way Buy Celexa Buy Clarinex Mobic Cheap Lisinopril. Fix credit score Credit score system Cheap Plavix Credit card application with instant decision VPN tunneling Cheap Actos Soma Buy Coreg Plavix Didrex, Credit card application instant decision Cosigning credit card applications Meridia Business credit report repair Get credit score Credit repair report service To raise my credit score With low credit scores Check credit report Online student credit card application Clomid Deltasone, Chase credit card application status Selena Ringtones! Credit scores mortgage Kmart credit card reward Free credit report gov 0 apr creditcards Cozaar Free credit report service: Instant approval credit cards for Cheap Hoodia. Fioricet Average national credit score? Open VPN Raise your credit score: Hydrocodone To improve credit score Online Viagra Soft + Cialis Soft Fair credit reporting agency New Ringtones Cheap Viagra Professional! Zovirax Low apr balance transfer credit cards! Credit report Instant approval on credit cards Anonymous surfing Credit card applications with. Online Ultram Singulair Avoiding student credit card debt Credit reports canada Buy Inderal Ativan Drug! Lorazepam Credit card application form Cheap Norvasc Credit reports for landlords Best ways to eliminate credit card debt Altace: Acomplia Lamisil Buy Celebrex Zestril! No apr credit cards Credit report dispute form. Credit card application with instant decision Adipex Diet Pills Fixed apr business credit cards Credit reporting bureau Nortel VPN Exelon Annual credit report free Exxon credit card application Buy Viagra Jelly Valium No Prescription Credit report fico score How to improve my credit score
« But will it scale?
Persistent Storage on Amazon EC2 Announced »

Bad things done well: accepting dangerous input with Rails

For various reasons I need to be able to be able to accept some script input from the client.

The basic requirement is to be able to accept some Ruby code from the client in order to allow customisation of the HTML output from an RSS feed.

This is obviously a rather dangerous thing. I essentially need to allow arbitrary Ruby to be executed with an eval

However, in Ruby, we can run code in SAFE mode.

At Level 4:

Ruby effectively partitions the running program in two. Nontainted objects may not be modified. Typically, this will be used to create a sandbox: the program sets up an environment using a lower $SAFE level, then resets $SAFE to 4 to prevent subsequent changes to that environment

The core of my approach is to create a new Thread, set the SAVE level to 4 and call a method.

feed = FeedNormalizer::FeedNormalizer.parse(open(self.url))
thread = Thread.start {
$SAFE = 4
html = safe_method(feed, script)}
}
thread.join #wait for the thread to finish

The safe_method itself does a sanity check on the safe level. The method takes a feed object and a script - the script is processed using eval and because the feed object is in the context, the script has access to it. However, the safe level prevents any malicious code from attempting to use Ruby magic and meta-programming to gain access to variables outside the thread or any globals

def safe_method(feed,script)
if ( $SAFE < 4 )
raise “SecurityException: attempting to execute UNSAFE script”
end

html = “”
eval(script)
return html
end

The user can then pass in code that looks like:

html << “<h2>#{feed.title}</h2>”
html << “<ul>”
feed.entries.each do |entry|
  html << “<li><a href=\”#{entry.urls.first}\”>#{entry.title}</a></li>”
end
html << “</ul>”

And the feed is processed without (too much) risk.

Share This

This entry was posted on Wednesday, April 2nd, 2008 at 10:23 pm and is filed under Code, Programming, Ruby, Ruby on Rails. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “Bad things done well: accepting dangerous input with Rails”

  1. Ben Says:
    April 3rd, 2008 at 6:26 pm

    Could you not use something like Liquid templates (http://www.liquidmarkup.org/) to achieve the same outcome (but much more safely)?

  2. Web 2.0 Announcer Says:
    April 6th, 2008 at 4:31 am

    Bad things done well: accepting dangerous input with Rails…

    […]Sometimes you have to do things that are dangerous. In my case I had to accept script input from the browser and work out a way of executing it without having my system totally hacked. Discover how to run Ruby code in a Sandbox![…]…

  3. admin Says:
    April 6th, 2008 at 5:06 am

    LiquidMarkup looks pretty comprehensive, I might have a look at it.

Leave a Reply

Close
E-mail It