From: merch-redmine@... Date: 2019-10-17T15:52:24+00:00 Subject: [ruby-core:95397] [Ruby master Feature#16131] Remove $SAFE, taint and trust Issue #16131 has been updated by jeremyevans0 (Jeremy Evans). The blocker on merging the pull request is that test-bundled-gems is failing due to the `rake` test failure. https://github.com/ruby/rake/pull/329 needs to be merged (and I don't have permissions to merge it), and a new rake released and bundled with Ruby. I checked and Bundler and Rubygems are the only libraries affected that use external upstreams. All other affected libraries (default gems) are under the ruby organization on GitHub. We need to decide how we want to handle these: Default gems without extensions ``` fileutils irb reline rexml rss webrick ``` Default gems with extensions: ``` bigdecimal date dbm etc fiddle gdbm io-console openssl psych stringio strscan zlib ``` Are we OK with just removing the calls to taint/untaint? I'm not sure, but I believe that may cause issues when using previous versions of Ruby. The simplest fix here is to set the required ruby version in the related gemspecs to 2.6.99 to allow 2.7.0 preview/beta versions and above to work. That will mean older versions of Ruby cannot install newer versions of the gems. Is that acceptable? ---------------------------------------- Feature #16131: Remove $SAFE, taint and trust https://bugs.ruby-lang.org/issues/16131#change-82110 * Author: naruse (Yui NARUSE) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- Ruby had Taint checking which is originally introduced in Perl. https://en.wikipedia.org/wiki/Taint_checking It was intended to provide a useful tool for handle objects which are come from outside. Input data is set as tainted by default and call untaint if you checked or filtered the value. Some people used this feature in the age of CGI. But these days, no one use the mechanism and input libraries usually doesn't support it. For example rack, as following shows its input is not tainted and the mechanism is unusable. ``` % cat foo.ru run ->(env) do ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]] end % rackup foo.ru [51724] Puma starting in cluster mode... [51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas [51724] * Min threads: 3, max threads: 3 [51724] * Environment: development [51724] * Process workers: 1 [51724] * Preloading application [51724] * Listening on tcp://localhost:9292 [51724] Use Ctrl-C to stop [51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile [51724] - Worker 0 (pid: 51737) booted, phase: 0 ``` ``` % curl http://localhost:9292/\?foo=1 Is QUERY_STRING tainted?: false ``` Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem. On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism. https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8 The cost of maintaining it is expensive. In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it. I suggest to remove it. -- https://bugs.ruby-lang.org/ Unsubscribe: