Nasty things user provided by ruby ​​code on the server can

Ruby allows you to set a global variable $SAFE

that will determine exactly what might mess up your broken code. Read more in Blocking Ruby in Safe Mode .

To paraphrase, here is a table on effects $SAFE

:

$ SAFE Restrictions

0 The use of external (corrupted) data is checked. This is Ruby's default mode.

> = 1 Ruby prohibits the use of corrupted data by potentially dangerous operations.

> = 2 Ruby disallows downloading program files from public places.

> = 3 All newly created objects are considered corrupted.

> = 4 Ruby effectively splits the current program in two. Unfurnished objects cannot be modified. Typically this will be used to create a sandbox: the program sets the environment to a lower level $SAFE

and then resets $SAFE

to 4 to prevent further changes to that environment.

This is the content from the table at the bottom of the linked page, which explains that you can mess up objects at every level $SAFE

. From this, you can easily determine what bad things Ruby code might do.

Defining Safe Levels

$ SAFE> = 1

• The environment variables RUBYLIB and RUBYOPT are not processed and the current directory is not appended to the path.
• The command line options -e, -i, -I, -r, -s, -S, and -x are not allowed.
• It is not possible to start processes from $ PATH if any directory in it is world-writable.
• Unable to manipulate or chroot into a directory whose name is a broken string.
• You can't swallow spoiled lines.
• Unable to evaluate corrupted lines.
• Unable to load or request file whose name is a broken line.
• Unable to manipulate or query the status of a file or channel whose name is a broken string.
• Unable to execute system command or program from broken line.
• Unable to pass a bad string trap.

$ SAFE> = 2

• Cannot change, make or delete directories or use chroot.
• Unable to load file from world accessible directory.
• Unable to load file with corrupted filename starting with ~.
• Cannot use File # chmod, File # chown, File # lstat, File.stat, File # truncate, File.umask, File # flock, IO # ioctl, IO # stat, Kernel # fork, Kernel # syscall, Kernel # trap. Process :: setpgid, Process :: setsid, Process :: setpriority, or Process :: egid =.
• Cannot handle signals with a trap.

$ SAFE> = 3

• All objects are created corrupted.
• Unable to delete objects.

$ SAFE> = 4

• Cannot modify carrier array, hash, or string.
• Cannot change global variable.
• Cannot access non-isolated object instance variables.
• Cannot change environment variable.
• Unable to close or open unpinned files.
• Unable to freeze unused objects.
• Can't change the visibility of methods (private / public / protected).
• It is not possible to create an alias in an unassuming class or module.
• Unable to get meta information (like list of methods or variables).
• It is not possible to define, override, delete, or override a method in an unassuming class or module.
• The object cannot be changed.
• Cannot remove instance variables or constants from non-isolated objects.
• Cannot control threads, terminate a thread other than the current one, or set abort_on_exception.
• Can't have thread local variables.
• Unable to throw an exception on a stream with a lower $ SAFE value.
• Unable to move threads between ThreadGroups.
• Can't call exit, exit! or abort.
• Can only load wrapped files and cannot include modules in non-integrated classes and modules.
• Cannot convert symbol identifiers to object references.
• Files or channels cannot be recorded.
• Unable to use autoload.
• It is impossible to gut objects.