Backport #7325

Marshal#load taints classes if they are referenced in a marsheled object

Added by urielka (Uriel Katz) about 8 years ago. Updated about 8 years ago.



= Reproducing steps:
ruby taint.rb

= Output of this script in my computer running 1.9.3-p327:
Before marshal is tainted?: false
After marshal is tainted?: true
Safe level when calling tainted method using call: 4
Safe level when calling tainted method directly: 0

= Expected:
MyObject#test shouldn't be tainted as it was defined in my own source and what was saved into the file is just a reference to MyObject class ("\u0004\bc\rMyObject")

= Actual:
MyObject#test is tainted and calling it using Method#call will make it run in safe-level 4.

= Some background on how I got to this issue:
I wrote some RPC code that accepts a class and method name and does the invocation,the way I call the method is getting the method from the instance using something like: "cls_instance.method(method_name).call"

I used Rails.cache with FileStore (which uses Marshal#load from file) to cache a object that had references to classes.

After reading from the cache all other requests saw the classes as tainted and when calling the methods they ran at $SAFE=4 which caused it to fail (even puts doesn't work at that level :)

This issue also made me understand that there is 2 potential bugs in Rails.


taint.rb (458 Bytes) taint.rb urielka (Uriel Katz), 11/10/2012 10:00 PM

Also available in: Atom PDF