Project

rubycop

0.02
No commit activity in last 3 years
No release in over 3 years
There's a lot of open issues
rubycopenvylabs/rubycopHomepageDocumentationSource CodeBug TrackerWiki
Statically analyze Ruby and neutralize nefarious code
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
24,534
Stars
33
Forks
7
Watchers
14
 Releases
Current version
1.0.1
Total releases
3
First release
2011-09-28
Latest release
2012-02-20
 Issues
Open Issues
5
Closed Issues
2
Total Issues
7
Issue Closure Rate
28%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
2
Merged Pull Requests
0
Pull Request Acceptance Rate
0%
 Development
Primary Language
Ruby
Average date of last 50 commits
2011-11-26
Reverse Dependencies
1

 Dependencies

Development

geminabox
>= 0
rspec
~> 2.3.0
yard
>= 0
 Project Readme

RubyCop

RubyCop scans Ruby code and tells you whether it's safe or not. We use it at CodeSchool to check user-submitted code before we eval it on the server.

RubyCop is made up of two pieces: NodeBuilder and Policy. NodeBuilder is responsible for parsing Ruby code (using Ripper) and building an AST (Abstract Syntax Tree). Policy then scans the AST and tells you whether the code is safe or not.

Requirements

RubyCop requires Ruby 1.9, though it should work under 1.8 if you include the "ripper" gem.

Usage

Here's a quick example of building the AST, and evaluating it with the Policy:

>> require "ruby_cop"
=> true
>> policy = RubyCop::Policy.new
>> ast = RubyCop::NodeBuilder.build("x = 1 + 2")
>> ast.accept(policy)
=> true

And if you pass in some unsafe code:

>> ast = RubyCop::NodeBuilder.build("x = `ls -la`")
>> ast.accept(policy)
=> false

Drawbacks

Ruby is a very dynamic language, so this kind of static analysis will only get you so far. RubyCop blocks obvious things like backticks and unsafe Kernel methods (#eval, #exec, #fork, etc.), but has to err on the side of safety in other places. For instance, #send is considered unsafe.