$SAFE = 5 and Safe Ruby Misleading?

Discussion in 'Ruby' started by kirindave@lensmen.net, Aug 12, 2003.

  1. Guest

    Hey folks.

    With all this talk of duck typing and such, I got to thinking about some of my
    code that I *thought* executed untrusted code relatively safely. I'd run code
    in a safe 5 thread, let it return a string, which I checked to make sure it
    was a "string." However, I now realize that concept is totally meaningless.

    Unless I'm misunderstanding, doesn't this mean that there is no such thing as
    an object you can "trust" in an absolute sense in Ruby. So, with that in mind,
    someone could return an object that, to me as the receiver, looks like a
    string, but its actual purpose is to iterate over every object in the runtime,
    looking for database like objects, with the purpose of destroying them. Or it
    could try and erase as much as it could.

    I know these objects come out tainted, but in order to use them, we need to
    untaint them. How do I know that that .upper! isn't actually going to destroy
    me?

    The only way I can see it is if an object could be "partially frozen", its
    methods and class methods locked, but its member variables not locked. I don't
    think there's any way to achieve this.

    Am I totally wrong about this?

    --
    Dave Fayram


    Coder / Idealist
    --
     
    , Aug 12, 2003
    #1
    1. Advertising

  2. On Tue, Aug 12, 2003 at 08:14:53AM +0900, wrote:
    > With all this talk of duck typing and such, I got to thinking about some of my
    > code that I *thought* executed untrusted code relatively safely. I'd run code
    > in a safe 5 thread, let it return a string, which I checked to make sure it
    > was a "string." However, I now realize that concept is totally meaningless.
    >
    > Unless I'm misunderstanding, doesn't this mean that there is no such thing as
    > an object you can "trust" in an absolute sense in Ruby. So, with that in mind,
    > someone could return an object that, to me as the receiver, looks like a
    > string, but its actual purpose is to iterate over every object in the runtime,
    > looking for database like objects, with the purpose of destroying them. Or it
    > could try and erase as much as it could.
    >
    > I know these objects come out tainted, but in order to use them, we need to
    > untaint them. How do I know that that .upper! isn't actually going to destroy
    > me?


    You're right in one sense - if someone has rights to modify core objects and
    classes in your Ruby environment, then you're toast whatever way you look at
    it.

    However the assumption is that these tainted objects come from an external,
    non-Ruby environment, and typically this means they come in as objects of a
    fixed type, such as String. (Examples: data taken from ENV, data taken from
    stdin, data taken from CGI GET or POST parameters)

    So someone cannot send you a general Ruby object, unless you were to
    explicitly unmarshal it, and they cannot directly touch your Ruby run-time
    environment. If they could, they could redefine ENV to return whatever they
    like, or they could simply override methods in your classes to do whatever
    they liked.

    But given that you have (say) a string from an untrusted source, you can
    untaint it like:

    foo = ENV['HTTP_HOST']
    if /\A[a-zA-Z0-9.-]+\z/ =~ foo
    foo.untaint
    else
    raise "Oi! No!"
    end

    The idea being that maybe you want to do something like
    system("nslookup -q=a #{foo}")
    but clearly certain values of foo are dangerous, like "; rm -rf /*"
    The tainting mechanism just forces you to think about what values of a
    variable may or may not be safe before you use them in system calls,
    filenames, and such like.

    BEWARE: Don't use /^...$/ in this case, use /\A...\z/

    irb(main):001:0> evil = "foo\nrm -rf /*"
    => "foo\nrm -rf /*"
    irb(main):002:0> evil =~ /^foo$/
    => 0
    irb(main):003:0> evil =~ /\Afoo\z/
    => nil

    Regards,

    Brian.
     
    Brian Candler, Aug 12, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. j
    Replies:
    5
    Views:
    425
    Samuel Barber
    Jul 27, 2003
  2. Raoul Gough
    Replies:
    4
    Views:
    337
    Raoul Gough
    Aug 21, 2003
  3. Brian Kelley

    Misleading Python error message

    Brian Kelley, Nov 19, 2003, in forum: Python
    Replies:
    4
    Views:
    379
    Dennis Lee Bieber
    Nov 21, 2003
  4. Juho Schultz
    Replies:
    2
    Views:
    308
    Alex Martelli
    Jan 26, 2006
  5. misleading prefix ++

    , May 20, 2006, in forum: Python
    Replies:
    6
    Views:
    389
    Carl Friedrich Bolz
    May 21, 2006
Loading...

Share This Page