DEVHIDE
Login Or Sign up

How do you mark a Ruby Binding as trusted?

1k Views Asked by At

From this article http://www.stuartellis.eu/articles/erb referring to thread safety levels:

"At this level, the specified binding must be marked as trusted for ERB to use it."

I've searched high and low and haven't found a way to "mark" a Binding as "trusted".

Will somebody please enlighten me?

ruby multithreading trusted
Original Q&A
1

There are 1 best solutions below

0
On BEST ANSWER

You should taint the binding by calling the taint method.

The $SAFE levels are a feature of Ruby that denies certain actions depending on the current level and whether an object is tainted. Tainted strings are assumed to originate from an untrusted source, such as a file, a database, a HTTP client, etc.

At $SAFE level 1, for example, Ruby will not allow you to require files if the argument is a tainted string.

$SAFE level 4 is the most extreme. Ruby will effectively disallow you to modify any nontained object. The idea is that you can use a lower $SAFE level in your application, and instantiate a thread or proc with $SAFE level 4. Within this sandbox, you can modify tainted objects only.

ERB uses this mechanism to allow you to run a template within a sandbox. If you try to get the result of a rendered template from a certain binding, this is what happens:

class TemplateContext
  def name; "Teflon Ted"; end
end

template_binding = TemplateContext.new.send(:binding)
ERB.new("Hi, <%= name %>!", 4).result(template_binding)

#=> SecurityError: Insecure: can't modify trusted binding

Blam! This is Ruby telling you that it is not okay to modify a nontainted object at $SAFE level 4. It will not allow you to call eval with the given binding (which is exactly what ERB attempts).

Instead, you should provide the sandbox with a tainted binding. You are explicitly telling Ruby that it is okay to use this binding in a sandbox, and that it should not be trusted outside the sandbox.

class TemplateContext
  def name; "Teflon Ted"; end
end

# Binding must be tainted!
template_binding = TemplateContext.new.send(:binding).taint
ERB.new("Hi, <%= name %>!", 4).result(template_binding)

#=> "Hi, Teflon Ted!"

For more information about Ruby's $SAFE level, see the excellent description in the Pickaxe book.

Related Questions in RUBY

Related Questions in MULTITHREADING

Related Questions in TRUSTED

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.