Project

General

Profile

Actions

Bug #14485

closed

For File#path.tainted? and File#to_path.tainted? should match original.tainted?

Added by tscheingeld (Terry Scheingeld) over 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
[ruby-core:85619]

Description

Problem: if you create a File object using an untainted path, File#path and File#to_path return identical strings except they are tainted. That's counter-intuitive. If the input path has been properly vetted then File should not taint it.

Here's a simple example which produces a security violation:

#!/usr/bin/ruby -w
$SAFE = 1
path = './myfile.txt'
file = File.open(path, 'r')
File.exist?(file.path)

which gives us this error:

./to-path.rb:5:in `exist?': Insecure operation - exist? (SecurityError)
  from ./to-path.rb:5:in `<main>'

In this example, path isn't tainted because it was created in the program. However, file.path, which is an identical string (i.e. not normalized) is tainted.

This issue became a problem in rack/lint. (Not sure how to tell which version.) Lint tries to do some optimizing, but crashes in these lines:

if @body.respond_to?(:to_path)
  assert("The file identified by body.to_path does not exist") {
    ::File.exist? @body.to_path
  }
end

Files

file-path-taint.patch (1.9 KB) file-path-taint.patch jeremyevans0 (Jeremy Evans), 06/20/2019 06:58 PM
Actions

Also available in: Atom PDF