Actions
Bug #14060
closed
SecurityError with $SAFE=1 when requiring an untainted path
Description
Calling Kernel#require with $SAFE=1 on Ruby 2.5.0preview1 results in a SecurityError when the path being required is not tainted:
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
from (irb):5
from /home/philr/.rbenv/versions/2.5.0-preview1/bin/irb:11:in `<main>'
irb(main):006:0> $:.find_all {|p| p.tainted? }
=> []
I would expect the SecurityError to be raised only when the path being required is tainted. For example, on Ruby 2.4.2:
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
=> true
irb(main):006:0> tainted_f = 'fileutils'.taint
=> "fileutils"
irb(main):007:0> tainted_f.tainted?
=> true
irb(main):008:0> require tainted_f
SecurityError: Insecure operation - gem_original_require
from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from (irb):8
from /home/philr/.rbenv/versions/2.4.2/bin/irb:11:in `<main>'
Updated by hsbt (Hiroshi SHIBATA) over 6 years ago
- Status changed from Open to Assigned
- Assignee set to hsbt (Hiroshi SHIBATA)
Updated by znz (Kazuhiro NISHIYAMA) over 6 years ago
I checked.
- In
gemspec_stubs_in,diris tainted - In caller,
default_specifications_diris tainted - In
rubygems/basic_specification.rb,Gem.default_diris tainted - In
default_dir,RbConfig::CONFIG['rubylibprefix']is tainted in my environment
In rbconfig, TOPDIR.tainted? changed.
% rbenv each ruby -vrrbconfig -e 'p RbConfig::TOPDIR.tainted?'
ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]
false
ruby 2.5.0dev (2017-10-30 trunk 60579) [x86_64-linux]
true
Using git bisect, TOPDIR.tainted? is true since r59984.
Updated by znz (Kazuhiro NISHIYAMA) over 6 years ago
- Assignee changed from hsbt (Hiroshi SHIBATA) to nobu (Nobuyoshi Nakada)
Updated by nobu (Nobuyoshi Nakada) over 6 years ago
- Status changed from Assigned to Closed
Applied in changeset trunk|r60596.
file.c: infect from arguments
- file.c (rb_check_realpath_internal): infetct the result with
arguments, no taint if none are tainted and cwd is not used.
[ruby-core:83583] [Bug #14060]
Updated by philr3 (Phil Ross) about 6 years ago
- Status changed from Closed to Open
This bug is now showing up as a regression in version 2.4.4 (it didn't occur in version 2.4.3):
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.4p296 (2018-03-28 revision 63013) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from (irb):5
from /home/philr/.rbenv/versions/2.4.4/bin/irb:11:in `<main>'
Updated by nobu (Nobuyoshi Nakada) about 6 years ago
- Status changed from Open to Closed
- Backport changed from 2.3: UNKNOWN, 2.4: UNKNOWN to 2.3: DONTNEED, 2.4: REQUIRED
Updated by usa (Usaku NAKAMURA) almost 6 years ago
- Backport changed from 2.3: DONTNEED, 2.4: REQUIRED to 2.3: DONTNEED, 2.4: DONE
ruby_2_4 r63807 merged revision(s) 60596,60599.
Actions
Like0
Like0Like0Like0Like0Like0Like0Like0