Fellow Rubyists! How many times have you thought to yourself: "If only there was a more elegant way to download and execute code from all over the internets!" Well, urirequire is the lib for you. By hijacking Kernel.require, urirequire makes it a snap to include code from anywhere on the World Wide Whatever. Sure, eval'ing code that you don't own might be dangerous; for all you know, that remote Ruby file could be undefining Class or emailing your ex-girlfriends. But I say it's time to get with the bleeding edge! Control of your own code is so February 2005.
This installs Hobix, that fantabulous blahhg engine by your friend and mine, why the lucky stiff. Sure, it looks like there's a lot of code at that URI, but if you can't trust _why, who can you trust? I mean, you trust your mom, and she couldn't draw a cartoon fox if her life depended on it.
== TAGLINES WHICH WILL PROBABLY MAKE NOBODY DOWNLOAD MY LIB BUT I THINK ARE FUNNY ANYWAY ==
urirequire: The network Pwns the computer!
urirequire: Now I'll never get that job working for Bruce Schneier.
urirequire: It's not just a solution looking for a problem. It's a solution looking for a victim.
On 11/1/05, Francis Hwang <s...@fhwang.net> wrote:
> Fellow Rubyists! How many times have you thought to yourself: "If only > there was a more elegant way to download and execute code from all over > the internets!"
???!??!?!? ( or something similar to that ) ... and yeah, it takes real guts to run code you don't own.
BTW, your test URL ... is 404.
j.
On 11/1/05, Wayne Vucenic <nightpho...@gmail.com> wrote:
> Hi Francis,
> On 11/1/05, Francis Hwang <s...@fhwang.net> wrote: > > Fellow Rubyists! How many times have you thought to yourself: "If only > > there was a more elegant way to download and execute code from all over > > the internets!"
> -----Original Message----- > From: Francis Hwang [mailto:s...@fhwang.net] > Sent: Wednesday, 2 November 2005 2:22 PM > To: ruby-talk ML > Subject: [ANN] urirequire: I got yer Web 2.0 right here
> Fellow Rubyists! How many times have you thought to yourself: > "If only there was a more elegant way to download and execute > code from all over the internets!" Well, urirequire is the > lib for you. By hijacking Kernel.require, urirequire makes it > a snap to include code from anywhere on the World Wide > Whatever. Sure, eval'ing code that you don't own might be > dangerous; for all you know, that remote Ruby file could be > undefining Class or emailing your ex-girlfriends. But I say > it's time to get with the bleeding edge! Control of your own > code is so February 2005.
> This installs Hobix, that fantabulous blahhg engine by your > friend and mine, why the lucky stiff. Sure, it looks like > there's a lot of code at that URI, but if you can't trust > _why, who can you trust? I mean, you trust your mom, and she > couldn't draw a cartoon fox if her life depended on it.
> == TAGLINES WHICH WILL PROBABLY MAKE NOBODY DOWNLOAD MY LIB > BUT I THINK ARE FUNNY ANYWAY ==
> urirequire: The network Pwns the computer!
> urirequire: Now I'll never get that job working for Bruce Schneier.
> urirequire: It's not just a solution looking for a problem. > It's a solution looking for a victim.
########################################################################### ########## This email has been scanned by MailMarshal, an email content filter. ########################################################################### ##########
Yeah, something like that. Actually right now urirequire clocks in at 23 lines, because of certain edge cases, and the fact that it uses Kernel.require, not a new method. Of course, the utility and elegance of such an override is quite debatable.
At any rate, it's definitely quite small. Sometimes I package small seeds of functionality into libs, because Rubygems makes managing tiny libs easy, and because copy-and-paste makes the baby Jesus cry.
> ???!??!?!? ( or something similar to that ) ... and yeah, it takes real guts > to run code you don't own.
> BTW, your test URL ... is 404.
Remember that when you require open-uri the file isn't actually "open-uri" -- it usually ends with an ".rb". Apply this analogously to a URI, and you'll get around that little 404 hurdle.
This'll make uri_require a nice safe place to live.... sort of.
require 'open-uri'
module UriRequire Version = '0.1.1'
@@orig_require = Kernel.method :require
def self.orig_require; @@orig_require; end end
def require( library_name ) if library_name =~ /^(http|https|ftp):\/\// uri_require( library_name ) else UriRequire.orig_require.call library_name end end
def uri_require( library_name, expected_digest ) begin contents = open( library_name ) do |f| f.gets( nil ); end rescue OpenURI::HTTPError library_name += '.rb' contents = open( library_name ) do |f| f.gets( nil ); end end require 'digest/sha1' digest = Digest::SHA1.hexdigest('xx') if expected_digest raise "Wrong Hash - Expected '#{expected_digest}', recieved '#{digest}'" else warn "Requiring a uri without a hash? Are you freakin' crazy?" warn "The hash is '#{digest}' for '#{library_name}'" end eval contents end
########################################################################### ########## This email has been scanned by MailMarshal, an email content filter. ########################################################################### ##########
Daniel Sheppard wrote: > This'll make uri_require a nice safe place to live.... sort of.
> require 'open-uri'
> module UriRequire > Version = '0.1.1'
> @@orig_require = Kernel.method :require
> def self.orig_require; @@orig_require; end > end
> def require( library_name ) > if library_name =~ /^(http|https|ftp):\/\// > uri_require( library_name ) > else > UriRequire.orig_require.call library_name > end > end
> def uri_require( library_name, expected_digest ) > begin > contents = open( library_name ) do |f| f.gets( nil ); > end > rescue OpenURI::HTTPError > library_name += '.rb' > contents = open( library_name ) do |f| f.gets( nil ); > end > end > require 'digest/sha1' > digest = Digest::SHA1.hexdigest('xx') > if expected_digest > raise "Wrong Hash - Expected '#{expected_digest}', recieved > '#{digest}'" > else > warn "Requiring a uri without a hash? Are you freakin' > crazy?" > warn "The hash is '#{digest}' for '#{library_name}'" > end > eval contents > end
> ########################################################################### ########## > This email has been scanned by MailMarshal, an email content filter. > ########################################################################### ##########
what sort of drugs am I on? Seemingly not the good ones.
if expected_digest raise "Wrong Hash - Expected '#{expected_digest}', received '#{digest}'" unless digest == expected_digest
I actually think this has the potential of being a damn useful library. Once you put in the hashing, I don't see why this is any more dangerous than a gem. The only problem is that you'd need to modify your code to upgrade to a newer version of a library, but there's not too much wrong with that. If you're hashing the code, it's not allowed to be modified, so you can keep a local cache of files and only download once.
Or, if you're just doing it with somewhere you can trust, you can just use it within your own scripts and let them download the latest version from a constantly-changing source.
########################################################################### ########## This email has been scanned by MailMarshal, an email content filter. ########################################################################### ##########
require 'open-uri' def require( resource ) begin super rescue LoadError $:.each do |lp| if lp =~ /http:\/\//i begin s = open( "#{lp}/#{resource}" ) { |f| f.read} eval s return rescue; end end end raise LoadError.new( "Cannot find '#{resource}'") end end
>I actually think this has the potential of being a damn useful library. >Once you put in the hashing, I don't see why this is any more dangerous >than a gem. The only problem is that you'd need to modify your code to >upgrade to a newer version of a library, but there's not too much wrong >with that. If you're hashing the code, it's not allowed to be modified, >so you can keep a local cache of files and only download once.
>Or, if you're just doing it with somewhere you can trust, you can just >use it within your own scripts and let them download the latest version >from a constantly-changing source.
If you could adapt it so that it'll accept svn:// (or https I suppose), then you could even use it to keep libraries updated from a svn repo - which would be rather nice
> >I actually think this has the potential of being a damn useful library. > >Once you put in the hashing, I don't see why this is any more dangerous > >than a gem. The only problem is that you'd need to modify your code to > >upgrade to a newer version of a library, but there's not too much wrong > >with that. If you're hashing the code, it's not allowed to be modified, > >so you can keep a local cache of files and only download once.
> >Or, if you're just doing it with somewhere you can trust, you can just > >use it within your own scripts and let them download the latest version > >from a constantly-changing source.
> If you could adapt it so that it'll accept svn:// (or https I suppose), > then you could even use it to keep libraries updated from a svn repo - > which would be rather nice
On 11/2/05, Jeff Wood <jeff.darkli...@gmail.com> wrote:
> actually, we need to write a ruby-based version control system. that would > be l33t ... just like urirequire ;) > j.
> On 11/1/05, Kev Jackson <kevin.jack...@it.fts-vn.com> wrote:
> > If you could adapt it so that it'll accept svn:// (or https I suppose), > > then you could even use it to keep libraries updated from a svn repo - > > which would be rather nice
I would say, we need some sort of "ioslaves" like KDE's. Then, accessing a different location/protocol would be transparent for applications.
Thou shalt study thy libraries and strive not to reinvent them without cause, that thy code may be short and readable and thy days pleasant and productive. -- Seventh commandment for C programmers
Doesn't putting the hash in kind of defeat the purpose? If you know exactly what the file should look like, you've probably downloaded it already... and now it's local.
On Thu, Nov 03, 2005 at 02:57:08AM +0900, Adam Sanderson wrote: > Doesn't putting the hash in kind of defeat the purpose? If you know > exactly what the file should look like, you've probably downloaded it > already... and now it's local.
Yes. But you could salvage the situation with PKI. So you'd specify a public key to trust, perhaps by fingerprint:
I was looking at the open-uri code, and I think it is pretty easy to expand. Well... maybe not easy, but it's doable.
Create a new URI Scheme class (example uri/ftp.rb) and add it to the URI schemes defined in the URI module (defined in uri/common.rb). Ensure that the URI defines direct_open(...) (see open-uri.rb) and include open-uri's OpenRead module.
It would be conceivable to implement open-uri suppot for SSH for example with the net-ssh library.
Anyways it's a thought, and that's all the spots to look in. .adam sanderson
|
