processi

about processes and engines

rufus-treechecker

I was surprised to see a mention to the gem rufus-treechecker in an InfoQ article about Ruby static analysis tools.

Maybe it’s time for me to explain what this tree hugging checking is about.

Here is a tiny example that detects call to exit or exit!

require 'rubygems'
require 'rufus/treechecker'
  # sudo gem install -y rufus-treechecker

tc = Rufus::TreeChecker.new do
  exclude_call_to :exit
  exclude_call_to :exit!
end

tc.check("def sum (a, b)\na + b\nend")
  # no worries, code seems OK

tc.check("def die (msg)\nputs msg; exit 1; end")
  # will throw a Rufus::SecurityException

rufus-treechecker attempts at detecting some patterns in code during its check run. If some excluded pattern is detected it will complain (Rufus::SecurityException). It leverages ruby_parser by Ryan Davis.

I’m using this gem inside of Ruote to check the source of ruby process definitions before they get evaluated. Ruote uses two tree checkers, their rulesets attempt to exclude some code patterns.

Maybe this gem will be useful to someone else. Hints at [potential] flaws are welcome.

(OK, I know, I shouldn’t be that lazy, I could write a grammar and bypass all that checking ritual)

rdoc : http://rufus.rubyforge.org/rufus-treechecker
github : http://github.com/jmettraux/rufus-treechecker
rubyforge : http://rubyforge.org/projects/rufus

the whole rufus family : http://rufus.rubyforge.org

Written by John Mettraux

November 10, 2008 at 6:57 am

Posted in ruby, rufus, ruote

%d bloggers like this: