Tainted symbols?


#1

irb(main):001:0> t = “p ‘hello world’”.taint
=> "p ‘hello world’"
irb(main):002:0> s = t.intern
=> :stuck_out_tongue: 'hello world’
irb(main):003:0> s.tainted?
=> false

Is this a security vulnerability?

···


John Long
http://wiseheartdesign.com


(Mark) #2

John W. Long wrote:

irb(main):001:0> t = “p ‘hello world’”.taint
=> "p ‘hello world’"
irb(main):002:0> s = t.intern
=> :stuck_out_tongue: 'hello world’
irb(main):003:0> s.tainted?
=> false

Is this a security vulnerability?

At first it appears to be since you can then do

irb(main):006:0> $SAFE=1
=> 1
irb(main):006:0> eval s.to_s
"hello world"
=> nil

However I don’t think this will actually cause any security problems
since you need to ask yourself why your program would take a string from
an external source, convert it to a symbol and then back into a string
again.

···


Mark Sparshatt


(Carlos) #3

irb(main):001:0> t = “p ‘hello world’”.taint
=> "p ‘hello world’"
irb(main):002:0> s = t.intern
=> :stuck_out_tongue: 'hello world’
irb(main):003:0> s.tainted?
=> false

Is this a security vulnerability?

I can’t answer that, but see the following case:

$SAFE=1

ut = “‘Hello world’” # untainted string
us = ut.intern # untainted symbol

t = gets.chomp # -> happens to be 'Hello world’
s = t.intern # tainted

now ‘us’ points to a tainted symbol… I think that would be
undesirable…


(ts) #4

t = gets.chomp # -> happens to be 'Hello world'
s = t.intern # tainted

svg% ruby -e 't = "aa"; t.taint; p t.intern.tainted?'
false
svg%

Guy Decoux


(John Long) #5

---- Carlos wrote: ----

$SAFE=1

ut = “‘Hello world’” # untainted string
us = ut.intern # untainted symbol

t = gets.chomp # -> happens to be 'Hello world’
s = t.intern # tainted

now ‘us’ points to a tainted symbol… I think that would be
undesirable…

I’m not quite sure what you are trying to point out here. In the above
example ‘us’ would always be untainted. To my mind ‘us’ should have the same
taint that the string it was created from had.

···


John Long
http://wiseheartdesign.com


(Carlos) #6

t = gets.chomp # -> happens to be 'Hello world’
s = t.intern # tainted

svg% ruby -e 't = “aa”; t.taint; p t.intern.tainted?'
false
svg%

It was hypotetical example to show why I think it is a bad idea to
transmit taint with #intern.


(Carlos) #7

$SAFE=1

ut = “‘Hello world’” # untainted string
us = ut.intern # untainted symbol

t = gets.chomp # -> happens to be 'Hello world’
s = t.intern # tainted

now ‘us’ points to a tainted symbol… I think that would be
undesirable…

I’m not quite sure what you are trying to point out here. In the above
example ‘us’ would always be untainted. To my mind ‘us’ should have the same
taint that the string it was created from had.

‘us’ and ‘s’ refer to the same object.

Symbols are like Fixnums; there is only one object for each different
symbol. So, “aa”.id != “aa”.id, but “aa”.intern.id == “aa”.intern.id.