Full-featured untaint() method for Ruby?

[Randy Lawrence]

Hi,

I was wondering if there was a full-featured untaint() method available
for Ruby. We're assuming the built-in untaint() methods simply remove
the flag rather than modify the string.

We're thinking about converting this perl module to Ruby if there's
nothing available:

http://www.dartmouth.edu/web/cgi/untaint.pm.txt

Thanks.

 

[Eric Hodel]

--ncSAzJYg3Aa9+CRW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,
=20
I was wondering if there was a full-featured untaint() method available= =20
for Ruby. We're assuming the built-in untaint() methods simply remove=20
the flag rather than modify the string.

Note that any object in ruby can be tainted. When combined with setting
$SAFE to a level that always creates tainted objects you can easily
create a "suspect" object for processing that will be safely handled in
your application.

--=20
Eric Hodel - (e-mail address removed) - http://segment7.net
All messages signed with fingerprint:
FEC2 57F1 D465 EB15 5D6E 7C11 332A 551C 796C 9F04


--ncSAzJYg3Aa9+CRW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQFA11ptMypVHHlsnwQRApuZAKDbj4uFqN+k7lHwQVdjagC4qKMKfwCgmlcd
3WmT+l6h2ZLqzXMzm1pffVE=
=ao3t
-----END PGP SIGNATURE-----

--ncSAzJYg3Aa9+CRW--

 

[Randy Lawrence]

Randy Lawrence ([email protected]) wrote:




Note that any object in ruby can be tainted. When combined with setting
$SAFE to a level that always creates tainted objects you can easily
create a "suspect" object for processing that will be safely handled in
your application.

We're using a default $SAFE level of 2.

What we'd like to find out is if there is a ruby class or method that
will fully parse+modify+untaint (rather than simply removing the taint
flag) of:

1. strings potentially utilized as part of a shell command
(prevent shell command injection)

2. strings potentially utilized as part of sql statements
(prevent sql injection)

3. strings potentially utilized as part of html documents
(prevent cross-site scripting)

and so on...

Surely this functionality is REQUIRED by anyone using ruby to generate
html or constructing sql statements using any potentially tainted data.

All the productivity gains possible by superior language elegance is
lost if the wheels have to keep being reinvented. IMHO, this is a wheel.

 

[Andreas Schwarz]

What we'd like to find out is if there is a ruby class or method that
will fully parse+modify+untaint (rather than simply removing the taint
flag) of:

1. strings potentially utilized as part of a shell command
(prevent shell command injection)

2. strings potentially utilized as part of sql statements
(prevent sql injection)

3. strings potentially utilized as part of html documents

^^^^^^^^^^^

Do you want to escape all the characters that are dangerous for Shell,
SQL _and_ HTML "just in case"? That's pretty useless IMO; the template
engine is responsible for HTML, the database lib for SQL, and Shell is
used so rarely that you can do it by hand.

 

[gabriele renzi]

Hi,

I was wondering if there was a full-featured untaint() method available
for Ruby. We're assuming the built-in untaint() methods simply remove
the flag rather than modify the string.

for the SQL atuff it's up to the DBMS drivers to provide a quote()
method. I'd agree a similar method for shell stuff be useful.

 

[Martin DeMello]

Do you want to escape all the characters that are dangerous for Shell,
SQL _and_ HTML "just in case"? That's pretty useless IMO; the template
engine is responsible for HTML, the database lib for SQL, and Shell is
used so rarely that you can do it by hand.

You could use pluggable modules, just to prevent people writing the same
code by hand over and over.

require 'untaint'

string.untaintshell)

That way, anyone who writes an untainter for a particular domain can
contribute it back to the central untaint project. Someone writing a new
database lib could simply call untaintsql), for instance.

martin

 

[Kaspar Schiess]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin DeMello wrote:


| You could use pluggable modules, just to prevent people writing the same
| code by hand over and over.
|
| require 'untaint'
|
| string.untaintshell)
|
| That way, anyone who writes an untainter for a particular domain can
| contribute it back to the central untaint project. Someone writing a new
| database lib could simply call untaintsql), for instance.

Are the semantics of untainting not really dependent on what one wants
to protect against ?

That said, I agree that having some general purpose untainting is a good
thing. As long as it does not trick you into a false sense of security.
I still like the 'just pass in the numbers and decode what they mean on
the server side' approach.

kaspar

semantics & semiotics
code manufacture

www.tua.ch/ruby
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFA1/1WFifl4CA0ImQRAm0wAKChdaS5Pqi+SsdRRRh0TBLiGdxI2gCfWw9t
nkqcjQ0b7CBetjxah5vycmw=
=XIF+
-----END PGP SIGNATURE-----

 

[Martin DeMello]

Martin DeMello wrote:

| You could use pluggable modules, just to prevent people writing the same
| code by hand over and over.
|
| require 'untaint'
|
| string.untaintshell)
|
| That way, anyone who writes an untainter for a particular domain can
| contribute it back to the central untaint project. Someone writing a new
| database lib could simply call untaintsql), for instance.

Are the semantics of untainting not really dependent on what one wants
to protect against ?

Yes, but what one wants to protect against has both application-specific
and domain-specific components. The domain-specific bits can definitely
be reused (for instance I might know what inputs *my* webapp would need
escaped, but I have no idea how to protect an HTML string in general.
And I'd need to do both.)

martin

 

[Paul Brannan]

What we'd like to find out is if there is a ruby class or method that
will fully parse+modify+untaint (rather than simply removing the taint
flag) of:

1. strings potentially utilized as part of a shell command
(prevent shell command injection)

I do not know of such a method, but I agree there should be one.

2. strings potentially utilized as part of sql statements
(prevent sql injection)

Each database library should provide a method that does this. For
example, the Ruby MySQL library provides Mysql.escape_string().

3. strings potentially utilized as part of html documents
(prevent cross-site scripting)

Use CGI.escapeHTML() or WEBrick::HTMLUtils.escape() or
ERB::Util::html_escape() (or any of the others escape mechanisms
provided in one of the standard libraries) for this. If you want the
string to retain its html formatting but strip out scripts, you'll
probably need to roll your own method.

Paul