Bug #11442

Updated by gwelch (Grant Welch) over 6 years ago

Subject: String#to_sym returns an untainted Symbol. 

 Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some. 


 # Proof #Proof of Concept: 
 # cat untainted_sym.rb 

 #!/usr/bin/env ruby -w 
 print 'Enter a string? ' 
 a = gets 
 puts "a: #{a.inspect}, tainted? #{a.tainted?}" 
 b = a.to_sym 
 puts "b: #{b.inspect}, tainted? #{b.tainted?}" 
 c = b.to_s 
 puts "c: #{c.inspect}, tainted? #{c.tainted?}" 
 puts "a == c: #{a == c}" 

 # Output: 

 $ ruby -w untainted_sym.rb 
 Enter a string? foobar 
 a: "foobar\n", tainted? true 
 b: :"foobar\n", tainted? false 
 c: "foobar\n", tainted? false 
 a == c: true 

 # Sample #Sample Workaround: (to provide the expected SecurityError) 

 # safe_level, 1 or 2 
 # uncertain_var, some variable that could, potentially, be tainted 
 untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call     # => Symbol for untainted var, SecurityError for tainted var 

 # Versions #Versions Tested: 
 * ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux] 
 * ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux] 
 * ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux] 
 * ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]