How to safely let users submit custom themes/plugins for a Rails app

Question

In my rails app I'd like to let users submit custom "themes" to display data in various ways.

I think they can get the data in the view using API calls and I can create an authentication mechanism for this. Also an authenticated API to save data. So this is probably safe.

But i'm struggling with the best way to let users upload/submit their own code for the theme.

I want this to work sort of like Wordpress themes/plugins where people can upload the thing. But there are some security risks. For example, if I take the uploaded "theme" a user submits and put it in it's own directory somewhere inside the rails app, what are the risks of this?

If the user inserts any rails executable code in their theme, even though it's the view they have full access at that point to all the models, everyone's data, etc. Even from other users. So that is not good.

I need some way to let the uploaded themes exist in a sandbox of the rails app, but I haven't seen a good way to do this. Any ideas?

Answer 1

It looks like this might have potential: http://flouri.sh/2007/10/27/safely-exposing-your-app-to-a-ruby-sandbox

Answer 2

You could try Liquid (http://www.liquidmarkup.org/), which was developed to allow users to create their own themes for Shopify. Liquid themes aren’t real Ruby code, so you shouldn’t have to worry about users trying to access things they shouldn’t.

Another option is Ruby’s concept of “tainted” objects, which could be used to implement secure themes/plugins while still allowing users to write actual Ruby code. You can read more about it here. I can’t vouch for how secure it is as I’ve never used it.

Answer 3

I'm also thinking about letting users submit their own sinatra apps and then running them from within rails. It looks like with Rack routing this is possible. I haven't been able to find any data on how/if the sinatra app is sandboxed from the rails app though. If anyone has info please let me know!