Nick Sieger wrote:
On Thu, Mar 27, 2008 at 12:39 AM, Tegan Clark <[EMAIL PROTECTED]> wrote:
Hi,
I'm using JRuby to allow users to script my Java framework and extend it
through Ruby script at plug points.
What I want to do is only allow the Ruby script access to the Java objects I
pass into the JSR 223 context, i.e. I want to prohibit a user accessing the
file system, network etc. through the available Java classes.
Is there anyway to stop this example evaled Ruby from working (calling via
JSR 223):
ScriptEngineManager scriptEngineMgr = new ScriptEngineManager();
ScriptEngine engine = scriptEngineMgr.getEngineByName("jruby");
engine.eval("r = java.util.Random.new \n puts r.nextInt");
i.e. stopping Ruby code creating or statically calling Java objects.
There are two things that I can think of, but both will require quite
a bit of work.
1. Rebuild JRuby such that it prevents loading javasupport (search for
"java.rb" in Ruby.java). Not sure if this will fully work.
2. Revitalize Ola's javasand project [1], which is a way of creating a
sandboxed environment where you can remove classes, modules, and
methods, or explicitly only include what you want.
Or you can instantiate your own JRuby runtime, using a customized
implementation of the org.jruby.Profile interface, and disallow the
require of "java" from happening.
--
Ola Bini (http://ola-bini.blogspot.com)
JRuby Core Developer
Developer, ThoughtWorks Studios (http://studios.thoughtworks.com)
Practical JRuby on Rails (http://apress.com/book/view/9781590598818)
"Yields falsehood when quined" yields falsehood when quined.
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
