search

jcoglan / heist

Scheme in as little Ruby and as much Scheme as possible. Supports macros, continuations, tail recursion and lazy evaluation.
365 stars 32 forks source link

Hidden Ruby Code Evaluation #3

Open benmmurphy opened 10 years ago

benmmurphy commented 10 years ago

So this doesn't seem to be documented anywhere but the heist language supports ruby string interpolation. You might remove all the builtin functions that do bad stuff (load?) and then think you have a safe sandbox. However, the string interpolation allows the sandbox to be broken.

require 'heist'
scheme = Heist::Runtime.new
scheme.eval('"#{puts :foo}"')

I'm not sure if this ruby string interpolation syntax is done on purpose or not because it seems a bit weird to embed a different language for string interpolation. Possibly this was a lazy way of implementing \ escapes.

https://github.com/jcoglan/heist/blob/3f372b2463407505dad7359c1e84bf4f32de3142/lib/heist/parser/nodes.rb#L134

Anyway, I think it should be documented that the language supports this feature.

34code commented 7 years ago

classic case of feature not bug haha