Allowing unsafe object access

30 views
Skip to first unread message

Thatcher

unread,
Dec 30, 2010, 1:37:27 PM12/30/10
to The Ruby Racer
The wiki mentions that therubyracer is safe by default in terms of
object access but I'd like to allow it to be unsafe. I don't see an
example illustrating how to achieve this. Is this possible?

From the wiki page ( https://github.com/cowboyd/therubyracer/wiki/Accessing-Ruby-Objects-From-JavaScript
)
'''
#3 Safe by default

JavaScript has been used since its earliest beginnings to provide a
eval-safe sandbox in which anonymous code can be executed without
posing any danger to the host system. To enable this type of
development, one of the design goals of The Ruby Racer is for
developers to be have the freedom to build their JavaScript
environments confident that the framework won't introduce silently
introduce dangerous security holes. Unsafe behavior must be explicitly
included into the default JavaScript runtime.
'''

I would like to be able to access the everything in ruby from
javascript, eg:

Ruby.File.open(path, 'r');
var log = function(msg){ Ruby.puts(msg); }

without having to explicitly define these. Any thoughts?

Thanks,
Thatcher

Charles Lowell

unread,
Jan 17, 2011, 12:01:21 PM1/17/11
to The Ruby Racer
Thatcher,

Oops, I almost missed your email because I was on vacation. I'm so
sorry for the late response! What you want to do is override the
default access strategy.

Each context lets you tell it how you want your ruby objects to
appear. The "safe" way is just the default.

the access object needs to define 8 methods (4 really, but you need
one each for named property access and indexed property access). Each
method is passed a block. yielding to this block
tells the ruby racer "I don't know anything about this method" This is
how, for example you make a ruby property undefined as opposed to
null.

get(obj, name, &dontintercept)
iget(obj, index, &dontintercept)

set(obj, name, value, &dontintercept)
iset(obj, index, value, &dontintercept)

# this is for metadata about the property... things like
# DONTENUM and DONTDELETE, etc...
# you probably won't need it
query(obj, name, attributes)
iquery(obj, index, attributes)

#returns all enumerable property names
names(obj)
#returns all enumerable property indicies
indices(obj)

This is the default "safe" implementation:

https://github.com/cowboyd/therubyracer/blob/master/lib/v8/access.rb

I'd start by subclassing that.

hope that helps! And sorry I missed your original message.

cheers,
Charles


On Dec 30 2010, 12:37 pm, Thatcher <thatcher.christop...@gmail.com>
wrote:
> The wiki mentions that therubyracer is safe by default in terms of
> object access but I'd like to allow it to be unsafe.  I don't see an
> example illustrating how to achieve this.  Is this possible?
>
> From the wiki page (https://github.com/cowboyd/therubyracer/wiki/Accessing-Ruby-Objects-F...

Charles Lowell

unread,
Jan 17, 2011, 2:38:16 PM1/17/11
to The Ruby Racer
Also, what I said just applies to methods that are defined on Object,
Kernel and friends. Any object that you *explicitly* embed into the V8
context (and returning it to javascript counts as embedding) will be
there.

https://gist.github.com/783330



On Dec 30 2010, 12:37 pm, Thatcher <thatcher.christop...@gmail.com>
wrote:
> The wiki mentions that therubyracer is safe by default in terms of
> object access but I'd like to allow it to be unsafe.  I don't see an
> example illustrating how to achieve this.  Is this possible?
>
> From the wiki page (https://github.com/cowboyd/therubyracer/wiki/Accessing-Ruby-Objects-F...

Thatcher

unread,
Jan 26, 2011, 11:36:21 PM1/26/11
to The Ruby Racer
Awesome, thanks! I'll let you know if I run into more issues.
TheRubyRacer is included as a new supported platform in Envjs, which
provides a 'headless' browser javascript environment ( http://github.com/envjs
). It's very fast and the integration was very simple with The
RubyRacer.

Thanks again,
Thatcher

Charles Lowell

unread,
Jan 27, 2011, 8:49:49 AM1/27/11
to therub...@googlegroups.com

That is fantastic news! Let me know if you have any more problems.

cheers,
Charles

Reply all
Reply to author
Forward
0 new messages