From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-4.0 required=3.0 tests=AWL,BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id A9C7B1F4BD for ; Fri, 4 Oct 2019 16:17:57 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id E1AC6120A12; Sat, 5 Oct 2019 01:17:47 +0900 (JST) Received: from o1678948x4.outbound-mail.sendgrid.net (o1678948x4.outbound-mail.sendgrid.net [167.89.48.4]) by neon.ruby-lang.org (Postfix) with ESMTPS id 6B1271209F5 for ; Sat, 5 Oct 2019 01:17:45 +0900 (JST) Received: by filter0126p3las1.sendgrid.net with SMTP id filter0126p3las1-29235-5D9770AB-15 2019-10-04 16:17:47.167345531 +0000 UTC m=+78208.617238236 Received: from herokuapp.com (unknown [18.212.244.163]) by ismtpd0035p1iad2.sendgrid.net (SG) with ESMTP id CFTodSZTTTSZRjBbCcVS8Q for ; Fri, 04 Oct 2019 16:17:47.077 +0000 (UTC) Date: Fri, 04 Oct 2019 16:17:47 +0000 (UTC) From: merch-redmine@jeremyevans.net Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 70815 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 16131 X-Redmine-Issue-Author: naruse X-Redmine-Sender: jeremyevans0 X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?RVE3t853K5scBhbmJHUzZTFFeVC=2FZSUmHZ0Dc+26wcEi2CTgsF1oz0wTSSxGGN?= =?us-ascii?Q?BI7ukMo5sWtIMcONf5dfCgQJDfEzOvFsmkACeRi?= =?us-ascii?Q?Nn2K7VMhkFTlmgnsvIW3nELxb46mVHUPTlZzSQH?= =?us-ascii?Q?aOM92luJOahBCMeYcB3xT0kALw8KDftwdN0cD0k?= =?us-ascii?Q?q7xjO1ZqilLspSrfU6O8tl7HKWP107KxRbQ=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 95228 Subject: [ruby-core:95228] [Ruby master Feature#16131] Remove $SAFE, taint and trust X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #16131 has been updated by jeremyevans0 (Jeremy Evans). I've rebased my pull request against master and fixed the conflicts (https://github.com/ruby/ruby/pull/2476). I've also removed mentions of $SAFE and taint from the documentation. Due to the extent of the changes, I don't want to wait too long before merging this. Otherwise, there will probably be more conflicts to resolve, and increased chance of a untaint/taint call being introduced. Also due to the extent of the changes, another committer should review. We still need to decide how we want to handle upstreams that want to support older ruby versions. Do we want to just notify upstreams and request that they fix it? Do we want to recommend a specific approach, such as (for rubygems): ```ruby if RUBY_VERSION >= '2.7' def Gem.untaint_obj(obj) end else def Gem.untaint_obj(obj) obj.untaint end end ``` And changing all the calls? Or wrapping all calls in `if RUBY_VERSION < '2.7'` test-bundled-gems is failing with this patch (a single rake test). I submitted a patch upstream to skip that test on Ruby 2.7+: https://github.com/ruby/rake/pull/329 ---------------------------------------- Feature #16131: Remove $SAFE, taint and trust https://bugs.ruby-lang.org/issues/16131#change-81902 * Author: naruse (Yui NARUSE) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- Ruby had Taint checking which is originally introduced in Perl. https://en.wikipedia.org/wiki/Taint_checking It was intended to provide a useful tool for handle objects which are come from outside. Input data is set as tainted by default and call untaint if you checked or filtered the value. Some people used this feature in the age of CGI. But these days, no one use the mechanism and input libraries usually doesn't support it. For example rack, as following shows its input is not tainted and the mechanism is unusable. ``` % cat foo.ru run ->(env) do ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]] end % rackup foo.ru [51724] Puma starting in cluster mode... [51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas [51724] * Min threads: 3, max threads: 3 [51724] * Environment: development [51724] * Process workers: 1 [51724] * Preloading application [51724] * Listening on tcp://localhost:9292 [51724] Use Ctrl-C to stop [51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile [51724] - Worker 0 (pid: 51737) booted, phase: 0 ``` ``` % curl http://localhost:9292/\?foo=1 Is QUERY_STRING tainted?: false ``` Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem. On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism. https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8 The cost of maintaining it is expensive. In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it. I suggest to remove it. -- https://bugs.ruby-lang.org/