* [ruby-core:70373] [Ruby trunk - Bug #11442] [Open] String#to_sym returns an untainted Symbol.
[not found] <redmine.issue-11442.20150814043510@ruby-lang.org>
@ 2015-08-14 4:35 ` gwelch925
2015-08-14 4:38 ` [ruby-core:70374] [Ruby trunk - Bug #11442] " gwelch925
` (3 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: gwelch925 @ 2015-08-14 4:35 UTC (permalink / raw
To: ruby-core
Issue #11442 has been reported by Grant Welch.
----------------------------------------
Bug #11442: String#to_sym returns an untainted Symbol.
https://bugs.ruby-lang.org/issues/11442
* Author: Grant Welch
* Status: Open
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Subject: String#to_sym returns an untainted Symbol.
Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some.
---------------------------------------------------------------
Proof of Concept:
---------------------------------------------------------------
# cat untainted_sym.rb
#!/usr/bin/env ruby -w
print 'Enter a string? '
a = gets
puts "a: #{a.inspect}, tainted? #{a.tainted?}"
b = a.to_sym
puts "b: #{b.inspect}, tainted? #{b.tainted?}"
c = b.to_s
puts "c: #{c.inspect}, tainted? #{c.tainted?}"
puts "a == c: #{a == c}"
---------------------------------------------------------------
---------------------------------------------------------------
Output:
---------------------------------------------------------------
$ ruby -w untainted_sym.rb
Enter a string? foobar
a: "foobar\n", tainted? true
b: :"foobar\n", tainted? false
c: "foobar\n", tainted? false
a == c: true
---------------------------------------------------------------
---------------------------------------------------------------
Sample Workaround: (to provide the expected SecurityError)
---------------------------------------------------------------
# safe_level, 1 or 2
# uncertain_var, some variable that could, potentially, be tainted
untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call # => Symbol for untainted var, SecurityError for tainted var
---------------------------------------------------------------
---------------------------------------------------------------
Versions Tested:
---------------------------------------------------------------
ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux]
ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]
ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
---------------------------------------------------------------
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:70374] [Ruby trunk - Bug #11442] String#to_sym returns an untainted Symbol.
[not found] <redmine.issue-11442.20150814043510@ruby-lang.org>
2015-08-14 4:35 ` [ruby-core:70373] [Ruby trunk - Bug #11442] [Open] String#to_sym returns an untainted Symbol gwelch925
@ 2015-08-14 4:38 ` gwelch925
2015-08-14 4:39 ` [ruby-core:70375] " gwelch925
` (2 subsequent siblings)
4 siblings, 0 replies; 5+ messages in thread
From: gwelch925 @ 2015-08-14 4:38 UTC (permalink / raw
To: ruby-core
Issue #11442 has been updated by Grant Welch.
Description updated
----------------------------------------
Bug #11442: String#to_sym returns an untainted Symbol.
https://bugs.ruby-lang.org/issues/11442#change-53779
* Author: Grant Welch
* Status: Open
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Subject: String#to_sym returns an untainted Symbol.
Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some.
---------------------------------------------------------------
#Proof of Concept:
~~~
# cat untainted_sym.rb
#!/usr/bin/env ruby -w
print 'Enter a string? '
a = gets
puts "a: #{a.inspect}, tainted? #{a.tainted?}"
b = a.to_sym
puts "b: #{b.inspect}, tainted? #{b.tainted?}"
c = b.to_s
puts "c: #{c.inspect}, tainted? #{c.tainted?}"
puts "a == c: #{a == c}"
~~~
#Output:
~~~
$ ruby -w untainted_sym.rb
Enter a string? foobar
a: "foobar\n", tainted? true
b: :"foobar\n", tainted? false
c: "foobar\n", tainted? false
a == c: true
~~~
#Sample Workaround: (to provide the expected SecurityError)
~~~
# safe_level, 1 or 2
# uncertain_var, some variable that could, potentially, be tainted
untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call # => Symbol for untainted var, SecurityError for tainted var
~~~
#Versions Tested:
ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux]
ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]
ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:70375] [Ruby trunk - Bug #11442] String#to_sym returns an untainted Symbol.
[not found] <redmine.issue-11442.20150814043510@ruby-lang.org>
2015-08-14 4:35 ` [ruby-core:70373] [Ruby trunk - Bug #11442] [Open] String#to_sym returns an untainted Symbol gwelch925
2015-08-14 4:38 ` [ruby-core:70374] [Ruby trunk - Bug #11442] " gwelch925
@ 2015-08-14 4:39 ` gwelch925
2015-08-14 5:59 ` [ruby-core:70380] [Ruby trunk - Bug #11442] Bug: Symbols should be taintable gwelch925
2019-08-12 23:57 ` [ruby-core:94315] [Ruby master Bug#11442] " merch-redmine
4 siblings, 0 replies; 5+ messages in thread
From: gwelch925 @ 2015-08-14 4:39 UTC (permalink / raw
To: ruby-core
Issue #11442 has been updated by Grant Welch.
Description updated
----------------------------------------
Bug #11442: String#to_sym returns an untainted Symbol.
https://bugs.ruby-lang.org/issues/11442#change-53780
* Author: Grant Welch
* Status: Open
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Subject: String#to_sym returns an untainted Symbol.
Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some.
---------------------------------------------------------------
# Proof of Concept:
~~~
# cat untainted_sym.rb
#!/usr/bin/env ruby -w
print 'Enter a string? '
a = gets
puts "a: #{a.inspect}, tainted? #{a.tainted?}"
b = a.to_sym
puts "b: #{b.inspect}, tainted? #{b.tainted?}"
c = b.to_s
puts "c: #{c.inspect}, tainted? #{c.tainted?}"
puts "a == c: #{a == c}"
~~~
# Output:
~~~
$ ruby -w untainted_sym.rb
Enter a string? foobar
a: "foobar\n", tainted? true
b: :"foobar\n", tainted? false
c: "foobar\n", tainted? false
a == c: true
~~~
# Sample Workaround: (to provide the expected SecurityError)
~~~
# safe_level, 1 or 2
# uncertain_var, some variable that could, potentially, be tainted
untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call # => Symbol for untainted var, SecurityError for tainted var
~~~
# Versions Tested:
* ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
* ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux]
* ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]
* ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:70380] [Ruby trunk - Bug #11442] Bug: Symbols should be taintable.
[not found] <redmine.issue-11442.20150814043510@ruby-lang.org>
` (2 preceding siblings ...)
2015-08-14 4:39 ` [ruby-core:70375] " gwelch925
@ 2015-08-14 5:59 ` gwelch925
2019-08-12 23:57 ` [ruby-core:94315] [Ruby master Bug#11442] " merch-redmine
4 siblings, 0 replies; 5+ messages in thread
From: gwelch925 @ 2015-08-14 5:59 UTC (permalink / raw
To: ruby-core
Issue #11442 has been updated by Grant Welch.
Subject changed from String#to_sym returns an untainted Symbol. to Bug: Symbols should be taintable.
After some additional testing, I've come to the conclusion that Symbols cannot be tainted (example below). I expect this may be due to the fact that symbols have a dual meaning. 1) They are a String because we want them to be human-readable, and 2) they are a Number so they can be quickly retrieved. It's understandable that Numbers don't carry a taint flag, but since Symbols have practical use cases in place of Strings, they should carry over 'tainted?' when coming from String#to_sym.
~~~
proc {$SAFE=3;(a = :foo).tainted?}.call # => false
~~~
~~~
a = :foo
a.taint
a.tainted? # => false
~~~
Note: I have come to the conclusion that the behavior is as expected, but I am leaving the issue as a Bug (rather than a Feature) because the logic that Symbols should be un-taintable is flawed.
----------------------------------------
Bug #11442: Bug: Symbols should be taintable.
https://bugs.ruby-lang.org/issues/11442#change-53783
* Author: Grant Welch
* Status: Open
* Priority: Normal
* Assignee: Yukihiro Matsumoto
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Subject: String#to_sym returns an untainted Symbol.
Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some.
---------------------------------------------------------------
# Proof of Concept:
~~~
# cat untainted_sym.rb
#!/usr/bin/env ruby -w
print 'Enter a string? '
a = gets
puts "a: #{a.inspect}, tainted? #{a.tainted?}"
b = a.to_sym
puts "b: #{b.inspect}, tainted? #{b.tainted?}"
c = b.to_s
puts "c: #{c.inspect}, tainted? #{c.tainted?}"
puts "a == c: #{a == c}"
~~~
# Output:
~~~
$ ruby -w untainted_sym.rb
Enter a string? foobar
a: "foobar\n", tainted? true
b: :"foobar\n", tainted? false
c: "foobar\n", tainted? false
a == c: true
~~~
# Sample Workaround: (to provide the expected SecurityError)
~~~
# safe_level, 1 or 2
# uncertain_var, some variable that could, potentially, be tainted
untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call # => Symbol for untainted var, SecurityError for tainted var
~~~
# Versions Tested:
* ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
* ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux]
* ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]
* ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
* [ruby-core:94315] [Ruby master Bug#11442] Bug: Symbols should be taintable.
[not found] <redmine.issue-11442.20150814043510@ruby-lang.org>
` (3 preceding siblings ...)
2015-08-14 5:59 ` [ruby-core:70380] [Ruby trunk - Bug #11442] Bug: Symbols should be taintable gwelch925
@ 2019-08-12 23:57 ` merch-redmine
4 siblings, 0 replies; 5+ messages in thread
From: merch-redmine @ 2019-08-12 23:57 UTC (permalink / raw
To: ruby-core
Issue #11442 has been updated by jeremyevans0 (Jeremy Evans).
Status changed from Open to Closed
Ruby makes `taint` and `untaint` just return the receiver if called on any object that is not considered taintable. That includes all immediate objects (symbols, integers(fixnums), true, false, nil), as well as integers(bignums) and floats. So this behavior is expected and not a bug.
----------------------------------------
Bug #11442: Bug: Symbols should be taintable.
https://bugs.ruby-lang.org/issues/11442#change-80674
* Author: gwelch (Grant Welch)
* Status: Closed
* Priority: Normal
* Assignee: matz (Yukihiro Matsumoto)
* Target version:
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Subject: String#to_sym returns an untainted Symbol.
Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some.
---------------------------------------------------------------
# Proof of Concept:
~~~
# cat untainted_sym.rb
#!/usr/bin/env ruby -w
print 'Enter a string? '
a = gets
puts "a: #{a.inspect}, tainted? #{a.tainted?}"
b = a.to_sym
puts "b: #{b.inspect}, tainted? #{b.tainted?}"
c = b.to_s
puts "c: #{c.inspect}, tainted? #{c.tainted?}"
puts "a == c: #{a == c}"
~~~
# Output:
~~~
$ ruby -w untainted_sym.rb
Enter a string? foobar
a: "foobar\n", tainted? true
b: :"foobar\n", tainted? false
c: "foobar\n", tainted? false
a == c: true
~~~
# Sample Workaround: (to provide the expected SecurityError)
~~~
# safe_level, 1 or 2
# uncertain_var, some variable that could, potentially, be tainted
untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call # => Symbol for untainted var, SecurityError for tainted var
~~~
# Versions Tested:
* ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
* ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux]
* ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]
* ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-08-12 23:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <redmine.issue-11442.20150814043510@ruby-lang.org>
2015-08-14 4:35 ` [ruby-core:70373] [Ruby trunk - Bug #11442] [Open] String#to_sym returns an untainted Symbol gwelch925
2015-08-14 4:38 ` [ruby-core:70374] [Ruby trunk - Bug #11442] " gwelch925
2015-08-14 4:39 ` [ruby-core:70375] " gwelch925
2015-08-14 5:59 ` [ruby-core:70380] [Ruby trunk - Bug #11442] Bug: Symbols should be taintable gwelch925
2019-08-12 23:57 ` [ruby-core:94315] [Ruby master Bug#11442] " merch-redmine
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).