尝试使用$ SAFE = 1(只是想在drb服务器中放置一些处理)使得rails无法使用:它无法加载某些路径,从数据库中恢复的数据被污染等等。例如:
rails console
Loading development environment (Rails 3.0.0)
ruby-1.9.2-p0 > $SAFE=1; User.first
SecurityError: Insecure operation - file?
from .rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:408:in `file?'
它无法加载user.rb文件
如果我在设置路径之前尝试执行User.first(因此文件已经加载)它可以工作,但是由于来自activerecord的一些数据似乎被污染了,它将失败信件获取其他数据。像这样的错误:
trace: .rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `BigDecimal'
.rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `to_d'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:166:in `value_to_decimal'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:77:in `type_cast'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:114:in `extract_default'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:52:in `extract_default'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:34:in `initialize'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `new'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `block in columns'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `each'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `columns'
.rvm/gems/ruby-1.9.2-p0/gems/arel-1.0.1/lib/arel/engines/sql/relations/table.rb:78:in `columns'
.rvm/gems/ruby-1.9.2-p0/gems/arel-1.0.1/lib/arel/engines/sql/relations/table.rb:64:in `attributes'
.rvm/gems/ruby-1.9.2-p0/gems/arel-1.0.1/lib/arel/algebra/relations/relation.rb:177:in `[]'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation.rb:312:in `primary_key'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation/finder_methods.rb:291:in `find_one'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation/finder_methods.rb:281:in `find_with_ids'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation/finder_methods.rb:107:in `find'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/base.rb:439:in `find'
此错误可以手动执行:
rails console
Loading development environment (Rails 3.0.0)
ruby-1.9.2-p0 > $SAFE=1
=> 1
ruby-1.9.2-p0 > a = "1"
=> "1"
ruby-1.9.2-p0 > a.to_d
=> #<BigDecimal:3adca98,'0.1E1',9(18)>
ruby-1.9.2-p0 > a.taint
=> "1"
ruby-1.9.2-p0 > a.to_d
SecurityError: Insecure operation - BigDecimal
from .rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `BigDecimal'
from .rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `to_d'
from (irb):6
from .rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands/console.rb:44:in `start'
from .rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands/console.rb:8:in `start'
from .rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands.rb:23:in `<top (required)>'
from <internal:lib/rubygems/custom_require>:33:in `require'
from <internal:lib/rubygems/custom_require>:33:in `rescue in require'
from <internal:lib/rubygems/custom_require>:29:in `require'
from script/rails:6:in `<main>'
ruby-1.9.2-p0 >
知道如何一起使用rails和$ SAFE = 1吗?
答案 0 :(得分:0)
据我所知,尝试使Rails在$SAFE模式的Ruby中运行没有真正的努力。这样做会有很多问题 - 你必须处理模型和动态加载(和重新加载)的问题。控制器文件,路由(手动忽略来自外部世界的数据)等等。
Rails核心团队多次表达了他们对Rails中支持$SAFE变量的看法:基本上,归结为:
$SAFE不是一种绝对保护 - 它可以避免SQL注入和类似的攻击,但它不会真正帮助抵御XSS攻击,cookie窃取/嗅探,通常不安全的设计等等。$SAFE支持实施起来相当笨拙,并会大大减缓整个过程。即使它默认是关闭的,在任何地方进行额外的.untaint调用都会产生一些速度惩罚。人们偶尔报告在邮件列表的$SAFE环境中运行Rails各个部分的成功,但它通常仅限于ERB / ERuby或其他模板引擎等。