From: phil.ross@...
Date: 2018-03-30T22:00:26+00:00
Subject: [ruby-core:86408] [Ruby trunk Bug#14060][Open] SecurityError with $SAFE=1 when requiring an untainted path

Issue #14060 has been updated by philr3 (Phil Ross).

Status changed from Closed to Open

This bug is now showing up as a regression in version 2.4.4 (it didn't occur in version 2.4.3):

~~~ ruby
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.4p296 (2018-03-28 revision 63013) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from /home/philr/.rbenv/versions/2.4.4/lib/ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from (irb):5
        from /home/philr/.rbenv/versions/2.4.4/bin/irb:11:in `<main>'
~~~


----------------------------------------
Bug #14060: SecurityError with $SAFE=1 when requiring an untainted path
https://bugs.ruby-lang.org/issues/14060#change-71337

* Author: philr3 (Phil Ross)
* Status: Open
* Priority: Normal
* Assignee: nobu (Nobuyoshi Nakada)
* Target version: 
* ruby -v: ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
Calling `Kernel#require` with `$SAFE=1` on Ruby 2.5.0preview1 results in a `SecurityError` when the path being required is not tainted:

~~~ ruby
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.5.0preview1 (2017-10-10 trunk 60153) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from /home/philr/.rbenv/versions/2.5.0-preview1/lib/ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
        from (irb):5
        from /home/philr/.rbenv/versions/2.5.0-preview1/bin/irb:11:in `<main>'
irb(main):006:0> $:.find_all {|p| p.tainted? }
=> []
~~~

I would expect the `SecurityError` to be raised only when the path being required is tainted. For example, on Ruby 2.4.2:

~~~ ruby
irb(main):001:0> RUBY_DESCRIPTION
=> "ruby 2.4.2p198 (2017-09-14 revision 59899) [x86_64-linux]"
irb(main):002:0> $SAFE=1
=> 1
irb(main):003:0> f='fileutils'
=> "fileutils"
irb(main):004:0> f.tainted?
=> false
irb(main):005:0> require f
=> true
irb(main):006:0> tainted_f = 'fileutils'.taint
=> "fileutils"
irb(main):007:0> tainted_f.tainted?
=> true
irb(main):008:0> require tainted_f
SecurityError: Insecure operation - gem_original_require
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from /home/philr/.rbenv/versions/2.4.2/lib/ruby/site_ruby/2.4.0/rubygems/core_ext/kernel_require.rb:55:in `require'
        from (irb):8
        from /home/philr/.rbenv/versions/2.4.2/bin/irb:11:in `<main>'
~~~




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>