Project

General

Profile

Actions
Copy link

Feature #19723

closed

[RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method

Added by postmodern (Hal Brodigan) 11 months ago. Updated 10 months ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:113864]

Description

Due to Kernel.open() supporting opening pipe-commands (ex: "|command-here...") this has led to multiple 1 security 2 vulnerabilities 3, where malicious user-input eventually is passed to Kernel.open(). One of the code-paths that malicious user-input can reach Kernel.open() is via open-uri's URI.open() method. RuboCop even recommends avoiding using URI.open() in favor of uri = URI.parse(...); uri.open to avoid accidentally opening malicious "|command..." inputs. I propose that URI.open() should not accept pipe-commands, as they are neither URIs nor files. One could even argue that URI.open() should only accept URIs and never fallback to Kernel.open().

Related issues 1 (0 open1 closed)

Related to Ruby master - Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issuesClosedActions
Actions
Copy link
 #1

Updated by postmodern (Hal Brodigan) 11 months ago

  • Tracker changed from Bug to Feature
  • Backport deleted (3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN)
Actions
Copy link
 #2 [ruby-core:113872]

Updated by mdalessio (Mike Dalessio) 11 months ago

I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from Kernel#open (called by URI.open in the fall-through case).

If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in URI.open.

Actions
Copy link
 #3 [ruby-core:113874]

Updated by postmodern (Hal Brodigan) 11 months ago

mdalessio (Mike Dalessio) wrote in #note-2:

I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from Kernel#open (called by URI.open in the fall-through case).

If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in URI.open.

This could be done before #19630 by changing URI.open to either fallback to File.open or not fallback to open at all. We could preemptively close this vulnerable code path before Ruby 4.0, since URI.open implies that it opens URIs and only URIs.

Actions
Copy link
 #4

Updated by kosaki (Motohiro KOSAKI) 11 months ago

  • Related to Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issues added
Actions
Copy link
 #5 [ruby-core:114177]

Updated by hsbt (Hiroshi SHIBATA) 10 months ago

  • Status changed from Open to Closed
Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0