Asp Forum - Executing code in a variable

Zangief Ief

4/20/2008 9:43:00 AM

Hello,

I have a Ruby code stocked into a Ruby variable like this:

buffer = ' puts "Hello World!" '

Is there a way for execute the current code by using buffer variable ?

Thanks
--
Posted via http://www.ruby-....

11 Answers

Sebastian Hungerecker

4/20/2008 10:08:00 AM

Zangief Ief wrote:
> I have a Ruby code stocked into a Ruby variable like this:
>
> buffer = ' puts "Hello World!" '
>
> Is there a way for execute the current code by using buffer variable ?

eval buffer

HTH,
Sebastian
--
NP: Depeche Mode - Strangelove
Jabber: sepp2k@jabber.org
ICQ: 205544826

Christian Theil Have

4/20/2008 10:12:00 AM

On Apr 20, 11:43 am, Zangief Ief <z4n9...@gmail.com> wrote:
> Hello,
>
> I have a Ruby code stocked into a Ruby variable like this:
>
> buffer = ' puts "Hello World!" '
>
> Is there a way for execute the current code by using buffer variable ?
>
> Thanks
> --
> Posted viahttp://www.ruby-....

Sure, you can use eval, eg.

irb(main):002:0> eval 'puts "Hello world"'
Hello world
=> nil

However, eval should be usually avoided. Instead Ruby has the methods
instance_eval, class_eval and module_eval, which works the same as
eval but the argumented is executed in the scope of the current object/
class/module.

Regards,
Christian

Zangief Ief

4/20/2008 10:29:00 AM

Thanks you a lot! I think I will use instance_eval to do so.
:)
--
Posted via http://www.ruby-....

Robert Klemme

4/20/2008 10:33:00 AM

On 20.04.2008 11:43, Zangief Ief wrote:
> I have a Ruby code stocked into a Ruby variable like this:
>
> buffer = ' puts "Hello World!" '
>
> Is there a way for execute the current code by using buffer variable ?

http://ruby-doc.org/core/classes/Kernel.ht...

robert

David A. Black

4/20/2008 12:50:00 PM

Hi --

On Sun, 20 Apr 2008, christiantheilhave@gmail.com wrote:

> On Apr 20, 11:43 am, Zangief Ief <z4n9...@gmail.com> wrote:
>> Hello,
>>
>> I have a Ruby code stocked into a Ruby variable like this:
>>
>> buffer = ' puts "Hello World!" '
>>
>> Is there a way for execute the current code by using buffer variable ?
>>
>> Thanks
>> --
>> Posted viahttp://www.ruby-....
>
> Sure, you can use eval, eg.
>
> irb(main):002:0> eval 'puts "Hello world"'
> Hello world
> => nil
>
> However, eval should be usually avoided. Instead Ruby has the methods
> instance_eval, class_eval and module_eval, which works the same as
> eval but the argumented is executed in the scope of the current object/
> class/module.

The main advantage of instance/class/module_eval over eval, though, is
that they can take a block and therefore you don't have to evaluate a
string. If you do this:

obj.instance_eval(str)

it's no better or worse, from the point of view of safety, than using
eval.

David

--
Rails training from David A. Black and Ruby Power and Light:
INTRO TO RAILS June 9-12 Berlin
ADVANCING WITH RAILS June 16-19 Berlin
INTRO TO RAILS June 24-27 London (Skills Matter)
See http://www.r... for details and updates!

Robert Klemme

4/20/2008 1:25:00 PM

On 20.04.2008 14:50, David A. Black wrote:
> Hi --
>
> On Sun, 20 Apr 2008, christiantheilhave@gmail.com wrote:
>
>> On Apr 20, 11:43 am, Zangief Ief <z4n9...@gmail.com> wrote:
>>> Hello,
>>>
>>> I have a Ruby code stocked into a Ruby variable like this:
>>>
>>> buffer = ' puts "Hello World!" '
>>>
>>> Is there a way for execute the current code by using buffer variable ?
>>>
>>> Thanks
>>> --
>>> Posted viahttp://www.ruby-....
>> Sure, you can use eval, eg.
>>
>> irb(main):002:0> eval 'puts "Hello world"'
>> Hello world
>> => nil
>>
>> However, eval should be usually avoided. Instead Ruby has the methods
>> instance_eval, class_eval and module_eval, which works the same as
>> eval but the argumented is executed in the scope of the current object/
>> class/module.
>
> The main advantage of instance/class/module_eval over eval, though, is
> that they can take a block and therefore you don't have to evaluate a
> string. If you do this:
>
> obj.instance_eval(str)
>
> it's no better or worse, from the point of view of safety, than using
> eval.

It is slightly better because with #instance_eval you can control what
"self" is set to and avoid a certain class of issues:

irb(main):001:0> class Foo
irb(main):002:1> attr_accessor :bar
irb(main):003:1> def work1(s)
irb(main):004:2> eval s
irb(main):005:2> end
irb(main):006:1> def work2(s)
irb(main):007:2> Object.new.instance_eval(s)
irb(main):008:2> end
irb(main):009:1> end
=> nil
irb(main):010:0> f=Foo.new
=> #<Foo:0x7ff7acf4>
irb(main):011:0> f.bar="important"
=> "important"
irb(main):012:0> f.work2 "@bar='messed'"
=> "messed"
irb(main):013:0> f.bar
=> "important"
irb(main):014:0> f.work1 "@bar='messed'"
=> "messed"
irb(main):015:0> f.bar
=> "messed"
irb(main):016:0>

But this is just a gradual difference - there is still enough damage
that can be done by evaluating strings or arbitrary code.

irb(main):016:0> f.work2 "puts 'ooops!';exit 1"
ooops!

robert@fussel ~

Kind regards

robert

David A. Black

4/20/2008 1:54:00 PM

Hi --

On Sun, 20 Apr 2008, Robert Klemme wrote:

> On 20.04.2008 14:50, David A. Black wrote:
>> Hi --
>>
>> On Sun, 20 Apr 2008, christiantheilhave@gmail.com wrote:
>>
>>> On Apr 20, 11:43 am, Zangief Ief <z4n9...@gmail.com> wrote:
>>>> Hello,
>>>>
>>>> I have a Ruby code stocked into a Ruby variable like this:
>>>>
>>>> buffer = ' puts "Hello World!" '
>>>>
>>>> Is there a way for execute the current code by using buffer variable ?
>>>>
>>>> Thanks
>>>> --
>>>> Posted viahttp://www.ruby-....
>>> Sure, you can use eval, eg.
>>>
>>> irb(main):002:0> eval 'puts "Hello world"'
>>> Hello world
>>> => nil
>>>
>>> However, eval should be usually avoided. Instead Ruby has the methods
>>> instance_eval, class_eval and module_eval, which works the same as
>>> eval but the argumented is executed in the scope of the current object/
>>> class/module.
>>
>> The main advantage of instance/class/module_eval over eval, though, is
>> that they can take a block and therefore you don't have to evaluate a
>> string. If you do this:
>>
>> obj.instance_eval(str)
>>
>> it's no better or worse, from the point of view of safety, than using
>> eval.
>
> It is slightly better because with #instance_eval you can control what "self"
> is set to and avoid a certain class of issues:
>
> irb(main):001:0> class Foo
> irb(main):002:1> attr_accessor :bar
> irb(main):003:1> def work1(s)
> irb(main):004:2> eval s
> irb(main):005:2> end
> irb(main):006:1> def work2(s)
> irb(main):007:2> Object.new.instance_eval(s)
> irb(main):008:2> end
> irb(main):009:1> end
> => nil
> irb(main):010:0> f=Foo.new
> => #<Foo:0x7ff7acf4>
> irb(main):011:0> f.bar="important"
> => "important"
> irb(main):012:0> f.work2 "@bar='messed'"
> => "messed"
> irb(main):013:0> f.bar
> => "important"
> irb(main):014:0> f.work1 "@bar='messed'"
> => "messed"
> irb(main):015:0> f.bar
> => "messed"
> irb(main):016:0>
>
> But this is just a gradual difference - there is still enough damage that can
> be done by evaluating strings or arbitrary code.
>
> irb(main):016:0> f.work2 "puts 'ooops!';exit 1"
> ooops!

That's the thing -- I think it's more a string thing, and the dangers
of untrusted input (which can really do anything), than the question
of what self is, since the untrusted input problem can always reassert
itself.

David

--
Rails training from David A. Black and Ruby Power and Light:
INTRO TO RAILS June 9-12 Berlin
ADVANCING WITH RAILS June 16-19 Berlin
INTRO TO RAILS June 24-27 London (Skills Matter)
See http://www.r... for details and updates!

Robert Dober

4/20/2008 2:31:00 PM

On Sun, Apr 20, 2008 at 3:53 PM, David A. Black <dblack@rubypal.com> wrote:

As David I am not sure that instance_eval is safer than eval. As the
following example shows a save eval can be done by deleting all
dangerous methods before evalling:

module Kernel
class << self
methods.each do |m|
next if /^__/ === m
Object::send :remove_method, m
end
end
instance_methods.each do |m|
next if /^__/ === m
Object::send :remove_method, m
remove_method m
end
end

eval %<system "ls -l">

Now this might not often be very useful though as we do not have a
sandbox or to put it better, it is much work to get out
of the sandbox again as we have to redefine all methods again (well I
did not safe them in the first place here). Furthermore my sandbox is
empty!!!

Is there an easy way to do this?

Cheers
Robert
--
http://ruby-smalltalk.blo...

---
Whereof one cannot speak, thereof one must be silent.
Ludwig Wittgenstein

Christopher Dicely

4/20/2008 4:53:00 PM

On Sun, Apr 20, 2008 at 7:31 AM, Robert Dober <robert.dober@gmail.com> wrote:
> On Sun, Apr 20, 2008 at 3:53 PM, David A. Black <dblack@rubypal.com> wrote:
>
> As David I am not sure that instance_eval is safer than eval. As the
> following example shows a save eval can be done by deleting all
> dangerous methods before evalling:
>
> module Kernel
> class << self
> methods.each do |m|
> next if /^__/ === m
> Object::send :remove_method, m
> end
> end
> instance_methods.each do |m|
> next if /^__/ === m
> Object::send :remove_method, m
> remove_method m
> end
> end
>
>
> eval %<system "ls -l">
>
> Now this might not often be very useful though as we do not have a
> sandbox or to put it better, it is much work to get out
> of the sandbox again as we have to redefine all methods again (well I
> did not safe them in the first place here). Furthermore my sandbox is
> empty!!!
>
> Is there an easy way to do this?

Well, we could use _why's Freaky Freaky Sandbox:
http://code.whytheluckystiff.ne...

Robert Dober

4/20/2008 5:14:00 PM

On Sun, Apr 20, 2008 at 6:53 PM, Christopher Dicely <cmdicely@gmail.com> wrote:
>
> On Sun, Apr 20, 2008 at 7:31 AM, Robert Dober <robert.dober@gmail.com> wrote:
> > On Sun, Apr 20, 2008 at 3:53 PM, David A. Black <dblack@rubypal.com> wrote:
> >
> > As David I am not sure that instance_eval is safer than eval. As the
> > following example shows a save eval can be done by deleting all
> > dangerous methods before evalling:
> >
> > module Kernel
> > class << self
> > methods.each do |m|
> > next if /^__/ === m
> > Object::send :remove_method, m
> > end
> > end
> > instance_methods.each do |m|
> > next if /^__/ === m
> > Object::send :remove_method, m
> > remove_method m
> > end
> > end
> >
> >
> > eval %<system "ls -l">
> >
> > Now this might not often be very useful though as we do not have a
> > sandbox or to put it better, it is much work to get out
> > of the sandbox again as we have to redefine all methods again (well I
> > did not safe them in the first place here). Furthermore my sandbox is
> > empty!!!
> >
> > Is there an easy way to do this?
>
> Well, we could use _why's Freaky Freaky Sandbox:
> http://code.whytheluckystiff.ne...
>
Seems to be perfect, now for eval to make sense in the sandbox one has
to build the castles by onself of course :(.
R.

--
http://ruby-smalltalk.blo...

---
Whereof one cannot speak, thereof one must be silent.
Ludwig Wittgenstein

comp.lang.ruby

Executing code in a variable

Zangief Ief

Sebastian Hungerecker

Christian Theil Have

Zangief Ief

Robert Klemme

David A. Black

Robert Klemme

David A. Black

Robert Dober

Christopher Dicely

Robert Dober

x Login to ForumsZone