Feature #16131


Remove $SAFE, taint and trust

Added by naruse (Yui NARUSE) about 2 years ago. Updated almost 2 years ago.

Target version:


Ruby had Taint checking which is originally introduced in Perl.

It was intended to provide a useful tool for handle objects which are come from outside.
Input data is set as tainted by default and call untaint if you checked or filtered the value.
Some people used this feature in the age of CGI.

But these days, no one use the mechanism and input libraries usually doesn't support it.
For example rack, as following shows its input is not tainted and the mechanism is unusable.

% cat
run ->(env) do
  ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]]
% rackup
[51724] Puma starting in cluster mode...
[51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas
[51724] * Min threads: 3, max threads: 3
[51724] * Environment: development
[51724] * Process workers: 1
[51724] * Preloading application
[51724] * Listening on tcp://localhost:9292
[51724] Use Ctrl-C to stop
[51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile
[51724] - Worker 0 (pid: 51737) booted, phase: 0
% curl http://localhost:9292/\?foo=1
Is QUERY_STRING tainted?: false

Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem.

On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism.
The cost of maintaining it is expensive.

In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it.
I suggest to remove it.

Related issues

Related to Ruby master - Feature #15998: Allow String#-@ to deduplicate tainted string, but return an untainted oneClosedActions
Related to Ruby master - Feature #8468: Remove $SAFEClosedshugo (Shugo Maeda)06/01/2013Actions
Related to Ruby master - Bug #9588: program name variables taintedClosedActions

Also available in: Atom PDF