Security riddle with $SAFE and untainted strings

(Phlip) #1

Rubies:

The user gives me a string, inside user_string.

I set up an object model in memory, and eval(user_string). The user_string
contains code to work that object model.

After the call, I want to call system(cmd), where cmd is untainted and
clean.

Now I want to secure that string, so the user may not put
'system("whatever")' inside that string.

So try this:

    user_string = "$SAFE = 1\n" + user_string
    eval(user_string)

That fails to defend us from system("whatever"), because "whatever" is seen
as an untainted literal, not a tainted element of the greater string we are
inside of.

Raising $SAFE to 2 throttles the safe system() call after my eval().

How to make this situation safe?

···

--
  Phlip
  http://www.greencheese.org/ZeekLand <-- NOT a blog!!!