Nasty things user supplied ruby code in server can do

Question

I'd like to run user supplied ruby code in server, what are the potentially nasty things that can happen? I mean things like deleting files etc. Can you give me more examples?

Thanks in advance!

Answer 1

Ruby allows you to set a $SAFE global variable that will determine exactly what tainted code is allowed to do. Read up more about this in Locking Ruby in the Safe.

To paraphrase, here's the table on the effects of $SAFE:

$SAFE Constraints

0 No checking of the use of externally supplied (tainted) data is performed. This is Ruby's default mode.

>= 1 Ruby disallows the use of tainted data by potentially dangerous operations.

>= 2 Ruby prohibits the loading of program files from globally writable locations.

>= 3 All newly created objects are considered tainted.

>= 4 Ruby effectively partitions the running program in two. Nontainted objects may not be modified. Typically, this will be used to create a sandbox: the program sets up an environment using a lower $SAFE level, then resets $SAFE to 4 to prevent subsequent changes to that environment.

This is the content from the table at the bottom of the linked page, which explains what tainted objects are allowed to do at each $SAFE level. From this, you can easily infer what bad things Ruby code would be able to do.

Definition of the safe levels

$SAFE >= 1

• The environment variables RUBYLIB and RUBYOPT are not processed, and the current directory is not added to the path.
• The command-line options -e, -i, -I, -r, -s, -S, and -x are not allowed.
• Can't start processes from $PATH if any directory in it is world-writable.
• Can't manipulate or chroot to a directory whose name is a tainted string.
• Can't glob tainted strings.
• Can't eval tainted strings.
• Can't load or require a file whose name is a tainted string.
• Can't manipulate or query the status of a file or pipe whose name is a tainted string.
• Can't execute a system command or exec a program from a tainted string.
• Can't pass trap a tainted string.

$SAFE >= 2

• Can't change, make, or remove directories, or use chroot.
• Can't load a file from a world-writable directory.
• Can't load a file from a tainted filename starting with ~.
• Can't use File#chmod , File#chown , File#lstat , File.stat , File#truncate , File.umask , File#flock , IO#ioctl , IO#stat , Kernel#fork , Kernel#syscall , Kernel#trap . Process::setpgid , Process::setsid , Process::setpriority , or Process::egid= .
• Can't handle signals using trap.

$SAFE >= 3

• All objects are created tainted.
• Can't untaint objects.

$SAFE >= 4

• Can't modify a nontainted array, hash, or string.
• Can't modify a global variable.
• Can't access instance variables of nontainted objects.
• Can't change an environment variable.
• Can't close or reopen nontainted files.
• Can't freeze nontainted objects.
• Can't change visibility of methods (private/public/protected).
• Can't make an alias in a nontainted class or module.
• Can't get meta information (such as method or variable lists).
• Can't define, redefine, remove, or undef a method in a nontainted class or module.
• Can't modify Object.
• Can't remove instance variables or constants from nontainted objects.
• Can't manipulate threads, terminate a thread other than the current, or set abort_on_exception.
• Can't have thread local variables.
• Can't raise an exception in a thread with a lower $SAFE value.
• Can't move threads between ThreadGroups.
• Can't invoke exit, exit!, or abort.
• Can load only wrapped files, and can't include modules in nontainted classes and modules.
• Can't convert symbol identifiers to object references.
• Can't write to files or pipes.
• Can't use autoload.
• Can't taint objects.

Answer 2

All your base belong to user.

Answer 3

If you are running under normal Ruby then pretty much anything that your current user privileges can do - so pretty much write, delete and overwrite most files etc.