From: merch-redmine@... Date: 2019-11-11T17:55:46+00:00 Subject: [ruby-core:95797] [Ruby master Feature#16131] Remove $SAFE, taint and trust Issue #16131 has been updated by jeremyevans0 (Jeremy Evans). mame (Yusuke Endoh) wrote: > Hi @jeremyevans0 , thank you for your great work. > > I might be one lap behind, but as far as I undestand, the taint tracking will be removed in 2.7. However, it looks still enabled: > > ``` > $ ./miniruby -e '$SAFE=1; File.symlink?("/etc/passwd".taint)' > Traceback (most recent call last): > 1: from -e:1:in `
' > -e:1:in `symlink?': Insecure operation - symlink? (SecurityError) > ``` > > Rubygems removed untaint operations, which leads to `Insecure operation - symlink?` error in rubygems test suite: > > ``` > 1) Failure: > TestRequire#test_require_insecure_path [/home/hsbt/chkbuild/tmp/build/20191111T153007Z/ruby/test/ruby/test_require.rb:66]: > Expected "Insecure operation - symlink?" to include "loading from unsafe path". > > 2) Failure: > TestRequire#test_require_insecure_path_shift_jis [/home/hsbt/chkbuild/tmp/build/20191111T153007Z/ruby/test/ruby/test_require.rb:94]: > Expected "Insecure operation - symlink?" to include "loading from unsafe path". > ``` > > https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian8/ruby-master/log/20191111T153007Z.fail.html.gz > > Thanks, I haven't committed the changes to Ruby core yet. Committing the Ruby core changes first would have broken it as well. I will try to commit the changes later this week. If it cannot wait that long, please let me know, but I'll be traveling and not able to do much for the next ~36 hours. Unfortunately, there are about 25 separate repositories where changes need to be committed, and for most of those places the changes need to be backwards compatible with earlier versions, which wasn't part of the initial branch prepared. So for each of those repositories, the changes in the initial branch need to be backed out before merging. This is one of the negative aspects of gemifying the standard library and moving each library to its own repository. Additionally, more of the standard library got moved to gems since I prepared the per-gem commits, so I need to recheck all of those libraries and see if they are affected by the taint removal. ---------------------------------------- Feature #16131: Remove $SAFE, taint and trust https://bugs.ruby-lang.org/issues/16131#change-82619 * Author: naruse (Yui NARUSE) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- Ruby had Taint checking which is originally introduced in Perl. https://en.wikipedia.org/wiki/Taint_checking It was intended to provide a useful tool for handle objects which are come from outside. Input data is set as tainted by default and call untaint if you checked or filtered the value. Some people used this feature in the age of CGI. But these days, no one use the mechanism and input libraries usually doesn't support it. For example rack, as following shows its input is not tainted and the mechanism is unusable. ``` % cat foo.ru run ->(env) do ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]] end % rackup foo.ru [51724] Puma starting in cluster mode... [51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas [51724] * Min threads: 3, max threads: 3 [51724] * Environment: development [51724] * Process workers: 1 [51724] * Preloading application [51724] * Listening on tcp://localhost:9292 [51724] Use Ctrl-C to stop [51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile [51724] - Worker 0 (pid: 51737) booted, phase: 0 ``` ``` % curl http://localhost:9292/\?foo=1 Is QUERY_STRING tainted?: false ``` Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem. On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism. https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8 The cost of maintaining it is expensive. In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it. I suggest to remove it. -- https://bugs.ruby-lang.org/ Unsubscribe: