Hello,
I would like to accomplish the following tasks:
The user writes some ruby code into a text field inside the browser,
clicks submit, the code travels to the server where it is evaluated and
the result is sent back and displayed.
The only problem with this can be on the server. E.g. if someone types
'format c:\' into the text field, well... you know what i mean. Maybe
dumb example, but i am quite sure some h4ck3rs out there can do better
than this.
Basically i do not care whether this stuff is a (f)CGI, Rails or
something else, AJAX or not, my question is simply the following: Is it
possible to put sufficiently large barricade around the evaluation code
on the server so that it is perfectly safe from attacks through
malicious code?
E.g. remove the 'require' keyword, I/O,... I really do not need much
there, basically some String ops, basic maths etc. Of course i can
specify the set of needed classes exactly (or the not needed ones,
whichever is easier to specify).
What do you think? Will it be ever really possible to say after some
modding that it will be 100% hackerproof?
Thanks,
Peter