Project

General

Profile

Actions

Bug #10209

closed

attr_reader vulnerability

Added by crojas (Carlos Luis Rojas Aragonés) almost 8 years ago. Updated almost 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.0.0p247 (2013-06-27) [i586-linux]
[ruby-core:64815]

Description

It is possible to change a read_only class attribute:

require 'pp'
class Attributes
  attr_reader :string, :array, :hash
  def initialize
    @string = 'value'
    @array = [1, 2, 3, 4]
    @hash = { name: 'Carlos', age: 25 }
  end
end

instance = Attributes.new
pp 'Original atributes:'
pp '-------------------------'
pp instance.string
pp instance.array
pp instance.hash
pp '-------------------------'

# bang!!
# this should not afect the original atribute.
instance.string.gsub!(/.*/, '')
instance.array.clear
instance.hash.clear

pp 'After Hacking attributes:'
pp '-------------------------'
pp instance.string
pp instance.array
pp instance.hash
pp '-------------------------'

Files

attributes.rb (628 Bytes) attributes.rb crojas (Carlos Luis Rojas Aragonés), 09/06/2014 08:01 PM

Updated by crojas (Carlos Luis Rojas Aragonés) almost 8 years ago

Output:

"Original atributes:"
"-------------------------"
"value"
[1, 2, 3, 4]
{:name=>"Carlos", :age=>25}
"-------------------------"
"After Hacking attributes:"
"-------------------------"
""
[]
{}
"-------------------------"

Updated by jeremyevans0 (Jeremy Evans) almost 8 years ago

This isn't a vulnerability, it's expected behavior. If you don't want to allow modification of an object, freeze the object.

Updated by crojas (Carlos Luis Rojas Aragonés) almost 8 years ago

mmm I think IMHO that the attr_reader accessor should return a .dub version of the object. That way there will be no chance to edit the class attribute on a read action.

Updated by nobu (Nobuyoshi Nakada) almost 8 years ago

  • Status changed from Open to Rejected

A spec.

Updated by nobu (Nobuyoshi Nakada) almost 8 years ago

  • Description updated (diff)

And, when you wonder if it is a vulnerability, please feel free to post to , instead of an issue here.

Actions

Also available in: Atom PDF