Project

General

Profile

Bug #14060

SecurityError with $SAFE=1 when requiring an untainted path

Added by philr3 (Phil Ross) almost 2 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]
[ruby-core:83583]

Description

Calling Kernel#require with $SAFE=1 on Ruby 2.5.0preview1 results in a SecurityError when the path being required is not tainted:

irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from (irb):5
        from /home/philr/.rbenv/versions/2.5.0-preview1/bin/irb:11:in `<main>'
irb(main):006:0> $:.find_all {|p| p.tainted? }
=> []

I would expect the SecurityError to be raised only when the path being required is tainted. For example, on Ruby 2.4.2:

irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
=> true
irb(main):006:0> tainted_f = 'fileutils'.taint
=> "fileutils"
irb(main):007:0> tainted_f.tainted?
=> true
irb(main):008:0> require tainted_f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from (irb):8
        from /home/philr/.rbenv/versions/2.4.2/bin/irb:11:in `<main>'

Associated revisions

Revision 42727ceb
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60596 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 60596
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Revision 60596
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Revision 60596
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Revision 2b43825f
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60599 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 60599
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Revision 60599
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Revision 60599
Added by nobu (Nobuyoshi Nakada) almost 2 years ago

file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Revision 440a6b5d
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 60596,60599: [Backport #14060]

    file.c: infect from arguments

    * file.c (rb_check_realpath_internal): infetct the result with
      arguments, no taint if none are tainted and cwd is not used.
      [ruby-core:83583] [Bug #14060]

    file.c: infect from arguments

    * file.c (rb_check_realpath_internal): infetct the result with
      arguments, no taint if none are tainted and cwd is not used.
      [ruby-core:83583] [Bug #14060]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@63807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 63807
Added by usa (Usaku NAKAMURA) about 1 year ago

merge revision(s) 60596,60599: [Backport #14060]

file.c: infect from arguments

* file.c (rb_check_realpath_internal): infetct the result with
  arguments, no taint if none are tainted and cwd is not used.
  [ruby-core:83583] [Bug #14060]

file.c: infect from arguments

* file.c (rb_check_realpath_internal): infetct the result with
  arguments, no taint if none are tainted and cwd is not used.
  [ruby-core:83583] [Bug #14060]

Revision ad10b43f
Added by usa (Usaku NAKAMURA) 12 months ago

re-patched r50599 because of test failure on TravisCI.
[Backport #14060]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_4@64649 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 64649
Added by usa (Usaku NAKAMURA) 12 months ago

re-patched r50599 because of test failure on TravisCI.
[Backport #14060]

History

Updated by hsbt (Hiroshi SHIBATA) almost 2 years ago

  • Assignee set to hsbt (Hiroshi SHIBATA)
  • Status changed from Open to Assigned
#2

Updated by znz (Kazuhiro NISHIYAMA) almost 2 years ago

I checked.

  • In gemspec_stubs_in, dir is tainted
  • In caller, default_specifications_dir is tainted
  • In rubygems/basic_specification.rb, Gem.default_dir is tainted
  • In default_dir, RbConfig::CONFIG['rubylibprefix'] is tainted in my environment

In rbconfig, TOPDIR.tainted? changed.

% rbenv each ruby -vrrbconfig -e 'p RbConfig::TOPDIR.tainted?'
ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
false
ruby 2.5.0dev (2017-10-30 trunk 60579) [x86_64-linux]
true

Using git bisect, TOPDIR.tainted? is true since r59984.

#3

Updated by znz (Kazuhiro NISHIYAMA) almost 2 years ago

  • Assignee changed from hsbt (Hiroshi SHIBATA) to nobu (Nobuyoshi Nakada)
#4

Updated by nobu (Nobuyoshi Nakada) almost 2 years ago

  • Status changed from Assigned to Closed

Applied in changeset trunk|r60596.


file.c: infect from arguments

  • file.c (rb_check_realpath_internal): infetct the result with arguments, no taint if none are tainted and cwd is not used. [ruby-core:83583] [Bug #14060]

Updated by philr3 (Phil Ross) over 1 year ago

  • Status changed from Closed to Open

This bug is now showing up as a regression in version 2.4.4 (it didn't occur in version 2.4.3):

irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.4p296 (2018-03-28 revision 63013) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from (irb):5
        from /home/philr/.rbenv/versions/2.4.4/bin/irb:11:in `<main>'
#6

Updated by nobu (Nobuyoshi Nakada) over 1 year ago

  • Backport changed from 2.3: UNKNOWN, 2.4: UNKNOWN to 2.3: DONTNEED, 2.4: REQUIRED
  • Status changed from Open to Closed

Updated by usa (Usaku NAKAMURA) about 1 year ago

  • Backport changed from 2.3: DONTNEED, 2.4: REQUIRED to 2.3: DONTNEED, 2.4: DONE

ruby_2_4 r63807 merged revision(s) 60596,60599.

Also available in: Atom PDF