If the gems in question have updates available via RubyGems, I would recommend that the major versions on these be bumped so that restrictions can be handled better for applications. I _never_ hard-drop a Ruby version without changing the major on any of the gems that I support. -a On Thu, Oct 17, 2019 at 11:52 AM wrote: > Issue #16131 has been updated by jeremyevans0 (Jeremy Evans). > > > The blocker on merging the pull request is that test-bundled-gems is > failing due to the `rake` test failure. > https://github.com/ruby/rake/pull/329 needs to be merged (and I don't > have permissions to merge it), and a new rake released and bundled with > Ruby. > > I checked and Bundler and Rubygems are the only libraries affected that > use external upstreams. All other affected libraries (default gems) are > under the ruby organization on GitHub. We need to decide how we want to > handle these: > > Default gems without extensions > > ``` > fileutils > irb > reline > rexml > rss > webrick > ``` > > Default gems with extensions: > > ``` > bigdecimal > date > dbm > etc > fiddle > gdbm > io-console > openssl > psych > stringio > strscan > zlib > ``` > > Are we OK with just removing the calls to taint/untaint? I'm not sure, > but I believe that may cause issues when using previous versions of Ruby. > The simplest fix here is to set the required ruby version in the related > gemspecs to 2.6.99 to allow 2.7.0 preview/beta versions and above to work. > That will mean older versions of Ruby cannot install newer versions of the > gems. Is that acceptable? > > ---------------------------------------- > Feature #16131: Remove $SAFE, taint and trust > https://bugs.ruby-lang.org/issues/16131#change-82110 > > * Author: naruse (Yui NARUSE) > * Status: Open > * Priority: Normal > * Assignee: > * Target version: > ---------------------------------------- > Ruby had Taint checking which is originally introduced in Perl. > https://en.wikipedia.org/wiki/Taint_checking > > It was intended to provide a useful tool for handle objects which are come > from outside. > Input data is set as tainted by default and call untaint if you checked or > filtered the value. > Some people used this feature in the age of CGI. > > But these days, no one use the mechanism and input libraries usually > doesn't support it. > For example rack, as following shows its input is not tainted and the > mechanism is unusable. > > ``` > % cat foo.ru > run ->(env) do > ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: > #{env["QUERY_STRING"].tainted?}"]] > end > % rackup foo.ru > [51724] Puma starting in cluster mode... > [51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas > [51724] * Min threads: 3, max threads: 3 > [51724] * Environment: development > [51724] * Process workers: 1 > [51724] * Preloading application > [51724] * Listening on tcp://localhost:9292 > [51724] Use Ctrl-C to stop > [51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile > [51724] - Worker 0 (pid: 51737) booted, phase: 0 > ``` > > ``` > % curl http://localhost:9292/\?foo=1 > Is QUERY_STRING tainted?: false > ``` > > Therefore I think Taint checking mechanism is unusable on the current Ruby > ecosystem. > > On the other hand we experienced multiple vulnerability around $SAFE and > taint mechanism. > > https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8 > The cost of maintaining it is expensive. > > In conclusion, I think the taint mechanism is too expensive to maintain > for the merit of it. > I suggest to remove it. > > > > -- > https://bugs.ruby-lang.org/ > > Unsubscribe: > > -- Austin Ziegler • halostatue@gmail.com • austin@halostatue.ca http://www.halostatue.ca/ • http://twitter.com/halostatue