堆栈内存溢出
  简体   繁体   English

JRuby DSL封装,不包括标准库

[英]JRuby DSL encapsulation, exclude standard library

 原文  2013-12-04 18:01:27       java/ ruby/ security/ jruby/ dsl

问题描述

I'm trying to make a Java program that allows users to do some limited scripting with a Ruby DSL that I've written. 我正在尝试创建一个Java程序,允许用户使用我编写的Ruby DSL进行一些有限的脚本编写。 The script the user writes is saved to a Proc object in JRuby. 用户编写的脚本将保存到JRuby中的Proc对象中。 The problem arises in that the user can still access methods that are standard to Ruby, such as File.new , or creating classes, or basically messing with other internal logic of the program or computer. 问题出现在用户仍然可以访问Ruby标准的方法,例如File.new ,或创建类,或者基本上搞乱程序或计算机的其他内部逻辑。

Is there a way to limit the user's script to only the constraints of the DSL, using JRuby or Ruby or even Java? 有没有办法使用JRuby或Ruby甚至Java将用户的脚本限制为仅限于DSL的约束? Or at least to remove the user's access to certain classes? 或者至少删除用户对某些类的访问权限?

1 个解决方案

解决方案1
 1  2013-12-10 15:54:54

Since you're running under JRuby, you can use a Java security policy ( policy file documentation ) to prevent users from being able to do things like file or network I/O. 由于您在JRuby下运行,因此可以使用Java安全策略策略文件文档 )来防止用户执行文件或网络I / O等操作。 Of course, this will keep your code from having those capabilities, too! 当然,这也会使您的代码无法拥有这些功能! You can whitelist code by jar URI or by jar signature, so one tactic is to create a "hull" of trusted code that strongly validates its input, package it in its own jar, trust it, and use it exclusively for your own code. 您可以通过jar URI或jar签名将代码列入白名单,因此一种策略是创建可靠代码的“外壳”,强烈验证其输入,将其打包在自己的jar中,信任它,并专门用于您自己的代码。 Doing this right gets complicated fast (have an extensive test suite!), but it can be done. 这样做很快就会变得复杂(有一个广泛的测试套件!),但它可以完成。

To have explicit control over the namespace available to your DSL, you can use BasicObject . 要明确控制DSL可用的命名空间,可以使用BasicObject It doesn't mix in Kernel or any of the other things available in the standard Ruby namespace. 它不会混合使用Kernel或标准Ruby命名空间中可用的任何其他内容。 This doesn't give you security , though, because users can still use ::File directly or include ::Kernel to get it all back! 但是,这并不能为您提供安全性 ,因为用户仍然可以直接使用::File或者include ::Kernel来获取所有内容!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Jruby的统计库 - Statistics library for Jruby 找不到Gradle DSL方法:exclude() - Gradle DSL method not found: exclude() 是否有用于数据完整性验证的标准 DSL? - Is there a standard DSL for data integrity validation? 将Ruby Library(permailer)打包为.jar(使用JRuby) - Package Ruby Library (permailer) as .jar (using JRuby) 遵守JavaBeans命名标准是否可以帮助实现封装? - Can adhering to the JavaBeans naming standard aid in achieving encapsulation? 明确排除依赖项是标准做法吗? - Is it a standard practice to explicitly exclude dependencies? Gradle失败:找不到支持的Gradle DSL方法:'exclude()' - Gradle failed: unsupported Gradle DSL method found: 'exclude()' 找到Java标准库 - Locate Java standard library 实用程序库的日志记录标准 - Logging standard for utility library Java标准库 - 图形? - Java standard library - graph?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM