Issue #12399 has been updated by Tsuyoshi Sawada.


I forgot to add that method aliasing should also be disabled. There might be some other things that I am missing, but they can be added. I hope you get the point.

----------------------------------------
Feature #12399: Restricted, safe version of `Kernel#eval`
https://bugs.ruby-lang.org/issues/12399#change-58746

* Author: Tsuyoshi Sawada
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------
`Kernel#eval` is convenient, but sometimes, it can be a security risk, and often people crazily react against using it even when it is not dangerous.

I propose to have a restricted version of `eval`, which can interpret Ruby literals, but whenever there is constant assignment, variable assignment, method call, or method definition, it raises an error.

It can be used to safely accept parameters given as a string. One example use is, parameter interpretation of command line option parser can be easily be done under the assumption that the parameter is given as Ruby expression.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>