Feature #19723
closed
[RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method
Added by postmodern (Hal Brodigan) 11 months ago.
Updated 10 months ago.
Description
Due to Kernel.open() supporting opening pipe-commands (ex: "|command-here...") this has led to multiple 1 security 2 vulnerabilities 3, where malicious user-input eventually is passed to Kernel.open(). One of the code-paths that malicious user-input can reach Kernel.open() is via open-uri's URI.open() method. RuboCop even recommends avoiding using URI.open() in favor of uri = URI.parse(...); uri.open to avoid accidentally opening malicious "|command..." inputs. I propose that URI.open() should not accept pipe-commands, as they are neither URIs nor files. One could even argue that URI.open() should only accept URIs and never fallback to Kernel.open().
- Tracker changed from Bug to Feature
- Backport deleted (
3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN)
I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from Kernel#open (called by URI.open in the fall-through case).
If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in URI.open.
mdalessio (Mike Dalessio) wrote in #note-2:
I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from Kernel#open (called by URI.open in the fall-through case).
If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in URI.open.
This could be done before #19630 by changing URI.open to either fallback to File.open or not fallback to open at all. We could preemptively close this vulnerable code path before Ruby 4.0, since URI.open implies that it opens URIs and only URIs.
- Related to Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issues added
- Status changed from Open to Closed
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0
Updated by 
Updated by 
Updated by 
Updated by