Last active

Inspired by @JEG2's talk at Rubyconf... Any ruby object, as a webapp! 'Cause we can. :-)

  • Download Gist
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
require 'rubygems'
require 'rack'
class Object
def webapp
class << self
define_method :call do |env|
func, *attrs = env['PATH_INFO'].split('/').reject(&:empty?)
[200, {}, send(func, *attrs)]
end [].webapp, :Port => 9292
# ^^^^^^^^^^^
# | (x)
# http://localhost:9292/push/1 -> 1
# http://localhost:9292/push/2 -> 12
# http://localhost:9292/push/3 -> 123
# http://localhost:9292/to_a -> 123
# http://localhost:9292/pop -> 3
# http://localhost:9292/shift -> 1
# Implementations in other languages (thanks guys!):
# Node.js:
# Groovy:
# Python:
# Great explanation of how this works in Ruby on Stackoverflow:

Should be [200, {}, [send(func, *attrs).to_s]].

I quite like this. However, you could do really horrible stuff with eval and friends.

I changed REQUEST_PATH to PATH_INFO since REQUEST_PATH always returns "/" on Webrick. Also added the #to_s() call as suggested by @rkh.

Updated gist:

http://localhost:9292/instance_eval/exec("rm -rf /")

The roflcopter in the comments is blowing my mind.

@Oshuma: good stuff, will update the gist in a sec.

@tobi: with great power comes.. nah, actually, your example wouldn't work because the "/" in rm would get swallowed by split! :-)

@technoweenie: woot! that's exactly what I was going for.

I love the roflcopter


@JamieFlournoy J2EE had these kind of security feature a long time ago if i remember correctly the spring bean introspector feature( and it was more lines of code, so better

RickRoll spoiler: Don't click on the trollish "J2EE version" link from @JamieFlournoy


Seriously, the roflcopter is amazing.

what about this hehehe:

class Object

  DANGEROUS_METHODS = methods.grep(/eval|instance|module|method|send|taint|extend|include|freeze/)

  def webapp
    class << self
      define_method :call do |env|
        func, *attrs = env['PATH_INFO'].split('/').reject(&:empty?)
        result = DANGEROUS_METHODS.include?(func) ? 'METHOD NOT ALLOWED' : send(func, *attrs).to_s
        [200, {}, [result]]


alias (unsure)

It should be a whitelist instead of black list, I believe.

mmm, well, yes, it might be, the only thing is that we'd need an ALLOWED_METHODS per class or something like that, I mean, I wouldn't do the following in the Object class:

ALLOWED_METHODS = w%[a lot of methods of different classes]

well, I don't know, maybe, hehe

Might take some inspiration from this to make it actually possible to expose objects as Rack endpoints in Grape...still thinking of how to make it work exactly.

$SAFE = 1 would disable a lot of the nastier methods. You'd still have to undef them in JRuby, though.

woow ROaaS = Ruby Objects as a Service hehehe

@Oshuma: Nice! :-)

Very nice. Here are some implementations I did in Perl & Io: - Perl using plack - Perl using Continuity - Io

@draegtun: awesome, thanks! Added your gist links to the one above.

Hello, this is really great but there are some things I am not really sure. For instance, I cannot get the object class with http://localhost:9292/class.

http://localhost:9292/push/1 -> 1
http://localhost:9292/push/2 -> 12
http://localhost:9292/push/3 -> 123
http://localhost:9292/to_a -> 123

I would expect
http://localhost:9292/class -> Array

Sorry if I'm wrong, just trying to understand :)


Luc, you have to be careful with your version of Ruby. Rack expects an object on which you can call "each". Under Ruby 1.9, String does not have an .each method. Chances are, Rack is erroring out because of that. A simple workaround would be wrap every returned object into a "".

Hmm, sounds strange. In fact I'm using Ruby 1.8.7

luc@venus:~/Projects/rubyobject ruby --version
ruby 1.8.7 (2009-06-12 patchlevel 174) [universal-darwin10.0]

Should it work with this version ?
Thanks a lot for your help.

Yep, 1.8.7 should work. What does your console output when you run the server and make that request?

hmmm, you'r right, it's talking about the each method... but I'm running ruby 1.8.7 new'
Wed Nov 24 16:03:46 +0100 2010: Read error: #<NoMethodError: undefined method
each' for Array:Class>
/Library/Ruby/Gems/1.8/gems/rack-1.2.1/lib/rack/chunked.rb:37:in each'
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:159:in process_client'
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/gems/1.8/gems/mongrel-1.1.5/lib/mongrel.rb:158:in `process_cli

Right, you're seeing the problem I described below. You need to convert everything to a StringIO and then you're good to go.

So I updated it a bit in my fork; it removes url encoding and returns json serialization of results

How come you didn’t settle with def instead?

require 'rack'

class Object
  def to_webapp
      func, *attrs = env['PATH_INFO'].split('/').reject(&:empty?)
      [200, {}, send(func || :inspect, *attrs)]
end [].to_webapp, :Port => 9292

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.