Commit 9367b8b

committed

Add Liquid::Box for secure sandboxed template execution

Introduces Liquid::Box which wraps Ruby 4.0's Ruby::Box for secure template execution. On Ruby < 4.0, provides a polyfill with security warnings. Key features: - Detects Ruby::Box availability at load time - Loads safe libraries (CGI, Base64, BigDecimal) into sandbox - Neuters dangerous methods (file IO, process control, eval, etc.) - Preserves user constants defined before lock! - Provides setup_gem_load_paths! to enable gem requires in box Security model: It is safe to expose side-effect-free, non-IO methods that don't leak objects with dangerous methods. The sandbox blocks capabilities, not data.

1 parent 5cdbce7 commit 9367b8bCopy full SHA for 9367b8b

2 files changed

+494

-0

lines changed

lib
- liquid.rb
- liquid
  - box.rb

2 files changed

+494

-0

lines changed

`‎lib/liquid.rb‎`

-Original file line number
+Diff line change
 require 'liquid/usage'
 require 'liquid/registers'
 require 'liquid/template_factory'
 +require 'liquid/box'

Comments

(0)