lib/safemode/parser.rb in safemode-1.0.2 vs lib/safemode/parser.rb in safemode-1.1.0
- old
+ new
@@ -34,11 +34,11 @@
# split up #process_call. see below ...
def process_call(exp)
receiver = jail process_call_receiver(exp)
name = exp.shift
args = process_call_args(exp)
- process_call_code(receiver, name, args)
+ process_call_code(receiver, name, args)
end
def process_fcall(exp)
# using haml we probably never arrive here because :lasgn'ed :fcalls
# somehow seem to change to :calls somewhere during processing
@@ -77,20 +77,23 @@
:if, :case, :when, :while, :until, :iter, :for, :break, :next, :yield,
:and, :or, :not,
:iasgn, # iasgn is sometimes allowed
# not sure about self ...
:self,
+ # :args is now used for block parameters
+ :args,
# unnecessarily advanced?
:argscat, :argspush, :splat, :block_pass,
:op_asgn1, :op_asgn2, :op_asgn_and, :op_asgn_or,
# needed for haml
:block ]
disallowed = [ # :self, # self doesn't seem to be needed for vcalls?
- :const, :defn, :defs, :alias, :valias, :undef, :class, :attrset,
+ # see below for :const handling
+ :defn, :defs, :alias, :valias, :undef, :class, :attrset,
:module, :sclass, :colon2, :colon3,
- :fbody, :scope, :args, :block_arg, :postexe,
+ :fbody, :scope, :block_arg, :postexe,
:redo, :retry, :begin, :rescue, :resbody, :ensure,
:defined, :super, :zsuper, :return,
:dmethod, :bmethod, :to_ary, :svalue, :match,
:attrasgn, :cdecl, :cvasgn, :cvdecl, :cvar, :gvar, :gasgn,
:xstr, :dxstr,
@@ -100,15 +103,22 @@
# SexpProcessor bails when we overwrite these ... but they are listed as
# "internal nodes that you can't get to" in sexp_processor.rb
# :ifunc, :method, :last, :opt_n, :cfunc, :newline, :alloca, :memo, :cref
disallowed.each do |name|
- define_method "process_#{name}" do
- code = super
+ define_method "process_#{name}" do |arg|
+ code = super(arg)
raise_security_error(name, code)
end
end
+
+ # handling of Encoding constants in ruby 1.9.
+ # Note: ruby_parser evaluates __ENCODING__ to :const Encoding::UTF_8
+ def process_const(arg)
+ raise_security_error("constant", super(arg)) unless (RUBY_VERSION >= "1.9" and arg.sexp_type.class == Encoding)
+ "Encoding::#{super(arg).gsub('-', '_')}"
+ end
def raise_security_error(type, info)
raise Safemode::SecurityError.new(type, info)
end
@@ -122,17 +132,20 @@
Ruby2Ruby::ASSIGN_NODES.include? receiver_node_type
receiver
end
def process_call_args(exp)
- args_exp = exp.shift rescue nil
- if args_exp && args_exp.first == :array # FIX
- args = "#{process(args_exp)[1..-2]}"
- else
- args = process args_exp
- args = nil if args.empty?
+ args = []
+ while not exp.empty? do
+ args_exp = exp.shift
+ if args_exp && args_exp.first == :array # FIX
+ processed = "#{process(args_exp)[1..-2]}"
+ else
+ processed = process args_exp
+ end
+ args << processed unless (processed.nil? or processed.empty?)
end
- args
+ args.empty? ? nil : args.join(", ")
end
def process_call_code(receiver, name, args)
case name
when :<=>, :==, :<, :>, :<=, :>=, :-, :+, :*, :/, :%, :<<, :>>, :** then