From: daniel@...42.com Date: 2019-08-30T17:45:52+00:00 Subject: [ruby-core:94689] [Ruby master Feature#16131] Remove $SAFE, taint and trust Issue #16131 has been updated by Dan0042 (Daniel DeLorme). jeremyevans0 (Jeremy Evans) wrote: > For `tainted?`/`trusted?` to work correctly, we would need to continue to support taint tracking at least in some state. We could reduce the scope of the taint flag, though. For example, we could make it so the taint flag is never checked by any core/stdlib code, and never transfered to another object. However calling `taint`/`trust`/`untaint`/`untrust` on an object and then calling `tainted?`/`trusted?` on the same object will still behave as it does in 2.6. That would allow your abuse of `taint` for dirty tracking to continue to work in 2.7. If we do that, I think we should still add a non-verbose warning in 2.7 when `tainted?`/`trusted?` are called, and remove `tainted?`/`trusted?` in 3.0. That sounds good to me. At that point you could even replace the taint/trust bit flags by instance variables. ---------------------------------------- Feature #16131: Remove $SAFE, taint and trust https://bugs.ruby-lang.org/issues/16131#change-81295 * Author: naruse (Yui NARUSE) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- Ruby had Taint checking which is originally introduced in Perl. https://en.wikipedia.org/wiki/Taint_checking It was intended to provide a useful tool for handle objects which are come from outside. Input data is set as tainted by default and call untaint if you checked or filtered the value. Some people used this feature in the age of CGI. But these days, no one use the mechanism and input libraries usually doesn't support it. For example rack, as following shows its input is not tainted and the mechanism is unusable. ``` % cat foo.ru run ->(env) do ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]] end % rackup foo.ru [51724] Puma starting in cluster mode... [51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas [51724] * Min threads: 3, max threads: 3 [51724] * Environment: development [51724] * Process workers: 1 [51724] * Preloading application [51724] * Listening on tcp://localhost:9292 [51724] Use Ctrl-C to stop [51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile [51724] - Worker 0 (pid: 51737) booted, phase: 0 ``` ``` % curl http://localhost:9292/\?foo=1 Is QUERY_STRING tainted?: false ``` Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem. On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism. https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8 The cost of maintaining it is expensive. In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it. I suggest to remove it. -- https://bugs.ruby-lang.org/ Unsubscribe: