Hello all,
basically I just want to know if the code below is safe.
Assume 'dangerous.rb' is provided by someone you don't know
and is located in a world writeable directory.
The filename is as unsafe as the file itself.
···
------------------------------------------------------------------------
$SAFE = 1
filename = 'dangerous.rb'.taint # just uploaded from untrusted user
fname = String.new(filename.to_s)
classname = File.basename(fname, '.rb').capitalize
fname.untaint if File.expand_path(fname) =~ %r{^d:/simon/}i
code = IO.read(fname) # reading is safe hopefully
#create a new object from a class definition in dangerous.rb
unsafe_obj = Thread.new do
$SAFE = 4
begin
mod = Module.new
mod.module_eval(code)
mod.const_get(classname).new
rescue Exception => e
Exception.new(e.to_s)
end
end.value
raise unsafe_obj if Exception === unsafe_obj
# as long as we do not call methods on unsafe_obj we should be safe,
right?
# call a method on the new object
value = Thread.new do
$SAFE = 4
begin
String.new(unsafe_obj.meth.to_s)
rescue Exception => e
Exception.new(e.to_s)
end
end.value
raise value if Exception === value
value.untaint # this should be safe now! (?)
p value
------------------------------------------------------------------------
cheers
Simon