Security Gotcha with $:

[John Carter]

I have just stumbled on a small security Gotcha in my code, that is
probably common to quite a lot of code...

ruby-1.8.2 -e 'p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux",
"/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8",
"/usr/lib/ruby/1.8/i686-linux", "."]


Now if you do, like I do,

$: << "/The/place/where/my/ruby/modules/live"

require 'MyModule'

Look what that does...

ruby-1.8.2 -e '$: << "/The/place/where/my/ruby/modules/live";p $:'
["/usr/lib/ruby/site_ruby/1.8", "/usr/lib/ruby/site_ruby/1.8/i686-linux",
"/usr/lib/ruby/site_ruby", "/usr/lib/ruby/1.8",
"/usr/lib/ruby/1.8/i686-linux", ".",
"/The/place/where/my/ruby/modules/live"]

Then "." is on the library path _before_ your user path.

So a Bad Hat (or just plain Murphy as in Murphy's Law) could put his own
nasty version of MyModule.rb on the current working directory and there
after your App does Strange Things.

Solution 1:

$:.unshift "/The/place/where/my/ruby/modules/live"

I don't like that as then if Murphy places anything with a module name
that is the same as a system module in "/The/place/where/my/ruby/modules/live"
then suddenly all system modules start behaving in mysterious ways.

Solution 2:

$:.reject!{|p| p[0] != ?/} # Only allow absolute paths

$: << "/The/place/where/my/ruby/modules/live"

require 'MyModule'

John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : (e-mail address removed)
New Zealand

Refactorers do it a little better every time.

 

[Eric Hodel]

--Apple-Mail-50-494285604
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed

I have just stumbled on a small security Gotcha in my code, that is
probably common to quite a lot of code...
[snip]

So a Bad Hat (or just plain Murphy as in Murphy's Law) could put his
own nasty version of MyModule.rb on the current working directory and
there after your App does Strange Things.

Solution 1:

$:.unshift "/The/place/where/my/ruby/modules/live"

I don't like that as then if Murphy places anything with a module name
that is the same as a system module in
"/The/place/where/my/ruby/modules/live"
then suddenly all system modules start behaving in mysterious ways.

This one is common.

Solution 2:

$:.reject!{|p| p[0] != ?/} # Only allow absolute paths

$: << "/The/place/where/my/ruby/modules/live"

require 'MyModule'

Solution 3:

Use RUBYLIB:

$ env | grep RUBY
RUBYLIB=/Users/drbrain/lib/ruby/
$ ruby -e 'p $:'
["/Users/drbrain/lib/ruby/", "/usr/local/lib/ruby/site_ruby/1.8",
"/usr/local/lib/ruby/site_ruby/1.8/powerpc-darwin7.7.0",
"/usr/local/lib/ruby/site_ruby", "/usr/local/lib/ruby/1.8",
"/usr/local/lib/ruby/1.8/powerpc-darwin7.7.0", "."]
[ ~/Work/svn/robotcoop/hugster/trunk ]


--
Eric Hodel - (e-mail address removed) - http://segment7.net
FEC2 57F1 D465 EB15 5D6E 7C11 332A 551C 796C 9F04

--Apple-Mail-50-494285604
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCJixkMypVHHlsnwQRAlx5AJ9tlbgHXK2HHhMX+Q6FDzfzN/gX8ACfYA94
9TB46SwSYBcCTMOpx8Qqke4=
=rW++
-----END PGP SIGNATURE-----

--Apple-Mail-50-494285604--