From: merch-redmine@jeremyevans.net
To: ruby-core@ruby-lang.org
Subject: [ruby-core:95871] [Ruby master Feature#16131] Remove $SAFE, taint and trust
Date: Sun, 17 Nov 2019 23:14:31 +0000 (UTC) [thread overview]
Message-ID: <redmine.journal-82706.20191117231430.a4686bc11be02b3d@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-16131.20190829071434@ruby-lang.org
Issue #16131 has been updated by jeremyevans0 (Jeremy Evans).
Status changed from Open to Closed
I merged these changes at commit:4c7dc9fbe604cc0c8343b1225c96d4e5219b8147 . Still one failing CI test, but the same one that is failing in the master branch for a few days, related to makefile dependencies.
----------------------------------------
Feature #16131: Remove $SAFE, taint and trust
https://bugs.ruby-lang.org/issues/16131#change-82706
* Author: naruse (Yui NARUSE)
* Status: Closed
* Priority: Normal
* Assignee:
* Target version:
----------------------------------------
Ruby had Taint checking which is originally introduced in Perl.
https://en.wikipedia.org/wiki/Taint_checking
It was intended to provide a useful tool for handle objects which are come from outside.
Input data is set as tainted by default and call untaint if you checked or filtered the value.
Some people used this feature in the age of CGI.
But these days, no one use the mechanism and input libraries usually doesn't support it.
For example rack, as following shows its input is not tainted and the mechanism is unusable.
```
% cat foo.ru
run ->(env) do
['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]]
end
% rackup foo.ru
[51724] Puma starting in cluster mode...
[51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas
[51724] * Min threads: 3, max threads: 3
[51724] * Environment: development
[51724] * Process workers: 1
[51724] * Preloading application
[51724] * Listening on tcp://localhost:9292
[51724] Use Ctrl-C to stop
[51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile
[51724] - Worker 0 (pid: 51737) booted, phase: 0
```
```
% curl http://localhost:9292/\?foo=1
Is QUERY_STRING tainted?: false
```
Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem.
On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism.
https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8
The cost of maintaining it is expensive.
In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it.
I suggest to remove it.
--
https://bugs.ruby-lang.org/
next prev parent reply other threads:[~2019-11-17 23:14 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <redmine.issue-16131.20190829071434@ruby-lang.org>
2019-08-29 7:14 ` [ruby-core:94657] [Ruby master Feature#16131] Remove $SAFE, taint and trust naruse
2019-12-16 3:10 ` [ruby-core:96254] " Eric Wong
2019-12-20 1:38 ` [ruby-core:96356] " Shugo Maeda
2019-08-29 15:46 ` [ruby-core:94669] " merch-redmine
2019-08-29 18:49 ` [ruby-core:94670] " jean.boussier
2019-08-29 19:43 ` [ruby-core:94671] " merch-redmine
2019-08-30 4:41 ` [ruby-core:94677] " mame
2019-08-30 8:49 ` [ruby-core:94682] " hsbt
2019-08-30 16:19 ` [ruby-core:94686] " daniel
2019-08-30 16:57 ` [ruby-core:94687] " daniel
2019-08-30 17:29 ` [ruby-core:94688] " merch-redmine
2019-08-30 17:45 ` [ruby-core:94689] " daniel
2019-09-02 5:57 ` [ruby-core:94722] " mame
2019-09-07 11:40 ` [ruby-core:94827] " eregontp
2019-09-19 8:00 ` [ruby-core:94979] " matz
2019-09-19 13:26 ` [ruby-core:94989] " headius
2019-09-21 7:17 ` [ruby-core:95013] " merch-redmine
2019-09-25 4:08 ` [ruby-core:95075] " merch-redmine
2019-10-04 16:17 ` [ruby-core:95228] " merch-redmine
2019-10-17 6:59 ` [ruby-core:95387] " mame
2019-10-17 15:52 ` [ruby-core:95397] " merch-redmine
2019-10-17 16:19 ` [ruby-core:95398] " Austin Ziegler
2019-10-18 3:28 ` [ruby-core:95410] " mame
2019-10-18 5:44 ` [ruby-core:95412] " merch-redmine
2019-10-18 22:26 ` [ruby-core:95425] " merch-redmine
2019-10-30 20:54 ` [ruby-core:95594] " merch-redmine
2019-11-11 17:14 ` [ruby-core:95795] " mame
2019-11-11 17:55 ` [ruby-core:95797] " merch-redmine
2019-11-11 18:43 ` [ruby-core:95800] " daniel
2019-11-11 18:56 ` [ruby-core:95802] " merch-redmine
2019-11-11 23:50 ` [ruby-core:95805] " mame
2019-11-12 3:50 ` [ruby-core:95807] " hsbt
2019-11-15 14:57 ` [ruby-core:95858] " merch-redmine
2019-11-17 23:14 ` merch-redmine [this message]
2019-11-30 9:27 ` [ruby-core:96036] " hsbt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-82706.20191117231430.a4686bc11be02b3d@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).