Actions
Bug #14485
closed
For File#path.tainted? and File#to_path.tainted? should match original.tainted?
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
Description
Problem: if you create a File object using an untainted path, File#path and File#to_path return identical strings except they are tainted. That's counter-intuitive. If the input path has been properly vetted then File should not taint it.
Here's a simple example which produces a security violation:
#!/usr/bin/ruby -w
$SAFE = 1
path = './myfile.txt'
file = File.open(path, 'r')
File.exist?(file.path)
which gives us this error:
./to-path.rb:5:in `exist?': Insecure operation - exist? (SecurityError)
from ./to-path.rb:5:in `<main>'
In this example, path isn't tainted because it was created in the program. However, file.path, which is an identical string (i.e. not normalized) is tainted.
This issue became a problem in rack/lint. (Not sure how to tell which version.) Lint tries to do some optimizing, but crashes in these lines:
if @body.respond_to?(:to_path)
assert("The file identified by body.to_path does not exist") {
::File.exist? @body.to_path
}
end
Files
Updated by 
Updated by jeremyevans (Jeremy Evans)
Actions
Like0
Like0Like0Like0Like0