I’ve not really played around with $SAFE or security
in general a lot, so someone can overrule me if I’m
making mistakes.
However, where exactly are you getting this modified
String from? It seems like what you’re saying is, you
want to be able to run some arbitrary script, have it
give an object back to you, and then call the methods
of that object. Is that correct?
I’m not really sure of a good response to that
requirement. In one case, you’d know what’s in the
script, so you wouldn’t have to worry about it. If
you’re just running random code and accepting values
back, then that seems like an unsafe decision in
general, not necessarily a Ruby problem.
(Digression)
Take an example I learned in a computer security class
at college. It involves Java serialization. Basically,
if you have a client/server model that communicates
with serialized objects, you can build a malicious
object and send it to the server, as follows:
class MaliciousObject
{
static
{
doMaliciousStuff();
}
}
Since the class is sent and loaded along with the
serialized object, when the class gets loaded, the
server/client is compromized. There are lots of ways
you can try to work around this (none of which
really work 100%), however, it seemed to me at the
time that the real problem was that this server was
just accepting raw objects as input from an arbitrary
source. If you just communicate the data inside
the object, you’re fine, but as soon as you transfer
the objects themselves, it can lead to trouble.
I think the bottom line may be that you shouldn’t
be accepting and using objects from arbitrary sources.
You don’t even need Ruby’s capabilities to kill
someone in this manner, since (assuming you could)
if you subclassed String in Java, you could pass it
somewhere that accepts a String, only in your
class charAt(int) has a method body of
System.exec(“rm -rf /”);
$SAFE allows you to contain malicious code and
keep it from damaging the system, but if you allow
code to be passed out to a trusted environment,
then I think the burden would be on you to make
sure somehow that the object isn’t malicious (not
that that’s even possible, like you’ve said).
It seems to me that what you’re asking would take
a very complex security system (Java’s system is
quite complex and it doesn’t get it right), and
I don’t think $SAFE was designed to cover it.
But as I said, I’m no expert on $SAFE. Could it
be made so that objects could be marked as tainted
so that their methods couldn’t execute system(“rm -rf /”)?
Is that already the case? It’s an interesting topic.
Hope this helps.
- Dan