Project

General

Profile

Actions

Bug #14060

closed

SecurityError with $SAFE=1 when requiring an untainted path

Added by philr3 (Phil Ross) over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]
[ruby-core:83583]

Description

Calling Kernel#require with $SAFE=1 on Ruby 2.5.0preview1 results in a SecurityError when the path being required is not tainted:

irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from (irb):5
        from /home/philr/.rbenv/versions/2.5.0-preview1/bin/irb:11:in `<main>'
irb(main):006:0> $:.find_all {|p| p.tainted? }
=> []

I would expect the SecurityError to be raised only when the path being required is tainted. For example, on Ruby 2.4.2:

irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
=> true
irb(main):006:0> tainted_f = 'fileutils'.taint
=> "fileutils"
irb(main):007:0> tainted_f.tainted?
=> true
irb(main):008:0> require tainted_f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from (irb):8
        from /home/philr/.rbenv/versions/2.4.2/bin/irb:11:in `<main>'

Updated by hsbt (Hiroshi SHIBATA) over 3 years ago

  • Assignee set to hsbt (Hiroshi SHIBATA)
  • Status changed from Open to Assigned
Actions #2

Updated by znz (Kazuhiro NISHIYAMA) over 3 years ago

I checked.

  • In gemspec_stubs_in, dir is tainted
  • In caller, default_specifications_dir is tainted
  • In rubygems/basic_specification.rb, Gem.default_dir is tainted
  • In default_dir, RbConfig::CONFIG['rubylibprefix'] is tainted in my environment

In rbconfig, TOPDIR.tainted? changed.

% rbenv each ruby -vrrbconfig -e 'p RbConfig::TOPDIR.tainted?'
ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
false
ruby 2.5.0dev (2017-10-30 trunk 60579) [x86_64-linux]
true

Using git bisect, TOPDIR.tainted? is true since r59984.

Actions #3

Updated by znz (Kazuhiro NISHIYAMA) over 3 years ago

  • Assignee changed from hsbt (Hiroshi SHIBATA) to nobu (Nobuyoshi Nakada)
Actions #4

Updated by nobu (Nobuyoshi Nakada) over 3 years ago

  • Status changed from Assigned to Closed

Applied in changeset trunk|r60596.


file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Updated by philr3 (Phil Ross) about 3 years ago

  • Status changed from Closed to Open

This bug is now showing up as a regression in version 2.4.4 (it didn't occur in version 2.4.3):

irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.4p296 (2018-03-28 revision 63013) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from (irb):5
        from /home/philr/.rbenv/versions/2.4.4/bin/irb:11:in `<main>'
Actions #6

Updated by nobu (Nobuyoshi Nakada) about 3 years ago

  • Backport changed from 2.3: UNKNOWN, 2.4: UNKNOWN to 2.3: DONTNEED, 2.4: REQUIRED
  • Status changed from Open to Closed

Updated by usa (Usaku NAKAMURA) almost 3 years ago

  • Backport changed from 2.3: DONTNEED, 2.4: REQUIRED to 2.3: DONTNEED, 2.4: DONE

ruby_2_4 r63807 merged revision(s) 60596,60599.

Actions

Also available in: Atom PDF