I'm interesting in providing my clients the ability to upload
expressions that I can evaluate to determine the values of various
components of some business calculations. Eval'ing the expressions is
the simplest solution, but it's of course unsafe. Can anyone help me
flesh out my list of options:
1. Why's sandbox, which has been forked on github but doesn't seem to
be undergoing ongoing maintenance:
http://github.com/Sophrinix/sandbox, and thus will probably be a
problem once ruby-1.9 rolls around
2. Write my own parser and interpreter - any ruby libraries that would
be particularly helpful in this regard?
3. Marshal the binding and the expression out to a javascript or other
safe interpreter for evaluation
4. Require the expressions to be blessed by trustees before being evaluated
Any other suggestions?
- donald
I'm interesting in providing my clients the ability to upload
expressions that I can evaluate to determine the values of various
components of some business calculations. Eval'ing the expressions is
the simplest solution, but it's of course unsafe. Can anyone help me
flesh out my list of options:
1. Why's sandbox, which has been forked on github but doesn't seem to
be undergoing ongoing maintenance:
GitHub - Sophrinix/sandbox: freaky-freaky security and multiplicity of ruby interps, and thus will probably be a
problem once ruby-1.9 rolls around
I wouldn't call that production software yet. I will add that to the
readme to night.
Not that it is unstable, but rather that I haven't tested it as much
as I need to.
2. Write my own parser and interpreter - any ruby libraries that would
be particularly helpful in this regard?
On TryRuby I am using FakeFS to handle any File related operations,
and there is a bit of a sandbox built into that code.
Infact, running a copy of try ruby wouldn't be a bad idea.
As long as you know how load a ruby cgi file in apache/your favorite
web browser.
Another approach could be hotruby (which runs entirely client side in
javascript)
- donald
Andrew McElroy
TryRuby.org
github.com/Sophrinix
ยทยทยท
On Thu, Jan 28, 2010 at 3:15 PM, Donald Ball <donald.ball@gmail.com> wrote: