From: andrew mcelroy on
[Note: parts of this message were removed to make it a legal post.]

On Fri, May 21, 2010 at 1:17 PM, Simon Mcbryan <smcbryan(a)> wrote:

> Hello Ruby Forum.
> I am working on a personal project that will need people to be able to
> submit bits of Ruby code so that my project can run it (eval). I know
> there is a lot of danger in this and wonder if there are any solid ways
> to avoid malicious attacks.
> From what I have read and seen on Google, there is the $SAFE (=4)
> variable which is supposed to prevent many vulnerabilities, but at the
> same time, there are many sources saying this is not reliable. Also, I
> have seen that a year or 2 ago, there was a popular Ruby project called
> Sandbox, created by a whytheluckystiff, who has apparently disappeared
> off the face of the planet, and thus killing the project.
> So I am wondering if I should attempt to work off Sandbox, although I
> don't think it is maintained or updated to the newer Ruby versions
> (1.8.7+). I am pretty new to the whole metaprogramming world, so I am
> not sure if I could handle this either. Or should I try to create my
> own system, using $SAFE, disallowing known loopholes, running in a
> thread with a kill time and timeout limit, etc. Or is there an
> alternative to Sandbox that I should be looking at that my research has
> not turned up? Thanks for your time.
> - simon

Look at Try Ruby.
$SAFE > 3 won't work in a repl, btw

Andrew McElroy

> Posted via