Merge branch 'sandbox'

Conflicts:
	Rakefile

Rakefile

@@ -325,7 +325,7 @@ namespace :examples do
       puts "Building example: #{example}"
       Dir.chdir(example.to_s) do
         execute_command "rm -rf Pods DerivedData"
-        execute_command "#{'../../bin/' unless ENV['FROM_GEM']}pod install --verbose --no-repo-update"
+        execute_command "#{'../../bin/' unless ENV['FROM_GEM']}sandbox-pod install --verbose --no-repo-update"
         command = "xcodebuild -workspace '#{example.basename}.xcworkspace' -scheme '#{example.basename}'"
         if (example + 'Podfile').read.include?('platform :ios')
           # Specifically build against the simulator SDK so we don't have to deal with code signing.

bin/sandbox-pod

+#!/usr/bin/env ruby
+
+# This bin wrapper runs the `pod` command in a OS X sandbox. The reason for this
+# is to ensure that people can’t use malicious code from pod specifications.
+#
+# It does this by creating a ‘seatbelt’ profile on the fly and executing the
+# given command through `/usr/bin/sandbox-exec`. This profile format is an
+# undocumented format, which uses TinyScheme to implement its DSL.
+#
+# Even though it uses a undocumented format, it’s actually very self-explanatory.
+# Because we use a whitelist approach, `(deny default)`, any action that is
+# denied is logged to `/var/log/system.log`. So tailing that should provide
+# enough information on steps that need to be take to get something to work.
+#
+# For more information see:
+#
+# * https://github.com/CocoaPods/CocoaPods/issues/939
+# * http://reverse.put.as/wp-content/uploads/2011/08/The-Apple-Sandbox-BHDC2011-Slides.pdf
+# * http://reverse.put.as/wp-content/uploads/2011/08/The-Apple-Sandbox-BHDC2011-Paper.pdf
+# * https://github.com/s7ephen/OSX-Sandbox--Seatbelt--Profiles
+# * `$ man sandbox-exec`
+# * `$ ls /usr/share/sandbox`
+
+if $0 == __FILE__
+  $:.unshift File.expand_path('../../lib', __FILE__)
+end
+require 'pathname'
+require 'cocoapods/config'
+
+
+pod_bin = File.expand_path('../pod', __FILE__)
+pod_prefix = File.expand_path('../..', pod_bin)
+
+require 'rbconfig'
+ruby_bin = File.join(RbConfig::CONFIG['bindir'], RbConfig::CONFIG['ruby_install_name'])
+ruby_prefix = RbConfig::CONFIG['prefix']
+
+prefixes = ['/bin', '/usr/bin']
+prefixes << `brew --prefix`.strip unless `which brew`.strip.empty?
+
+developer_prefix = `xcode-select --print-path`.strip
+xcode_app_path = File.expand_path('../..', developer_prefix)
+
+
+require 'erb'
+profile = ERB.new(DATA.read, 0, '>').result(TOPLEVEL_BINDING)
+puts profile
+
+command = ['/usr/bin/sandbox-exec', '-p', profile, pod_bin, *ARGV]
+puts command
+exec *command
+
+
+__END__
+(version 1)
+(debug allow)
+
+(import "mDNSResponder.sb")
+
+(allow file-ioctl)
+(allow sysctl-read)
+(allow mach-lookup)
+(allow ipc-posix-shm)
+(allow process-fork)
+(allow system-socket)
+
+; TODO make this stricter if possible
+(allow network-outbound)
+
+(allow process-exec
+  (regex 
+    #"^<%= pod_bin %>"
+    #"^<%= ruby_bin %>"
+    #"^<%= File.join(developer_prefix, 'usr/bin/xcrun') %>"
+    #"^<%= File.join(developer_prefix, 'usr/bin/xcodebuild') %>"
+<% prefixes.each do |prefix| %>
+    #"^<%= prefix %>/*"
+<% end %>
+  )
+)
+
+(allow file-read-metadata)
+(allow file-read*
+  (regex
+    ; TODO see if we can restrict this more, but it's going to be hard
+    #"^/Users/[^.]+/*"
+    ;#"^/Users/[^.]+/.netrc"
+    ;#"^/Users/[^.]+/.gemrc"
+    ;#"^/Users/[^.]+/.gem/*"
+    ;#"^/Users/[^.]+/Library/.*"
+    #"^/Library/*"
+    #"^/System/Library/*"
+    #"^/usr/lib/*"
+    #"^/usr/share/*"
+    #"^/private/*"
+    #"^/dev/*"
+    #"^<%= ruby_prefix %>"
+    #"^<%= pod_prefix %>"
+    #"^<%= xcode_app_path %>"
+    #"^<%= Pod::Config.instance.repos_dir %>"
+  )
+)
+
+(allow file-write*
+  (regex
+    #"^<%= Pod::Config.instance.project_root %>"
+    #"^<%= Pod::Config.instance.repos_dir %>"
+    #"^/Users/[^.]+/Library/Caches/CocoaPods/*"
+    #"^/dev/dtracehelper"
+    #"^/dev/tty"
+    #"^/dev/null"
+    #"^/private/var"
+  )
+)
+
+(deny default)