Issue #11442 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Open to Closed

Ruby makes `taint` and `untaint` just return the receiver if called on any object that is not considered taintable.  That includes all immediate objects (symbols, integers(fixnums), true, false, nil), as well as integers(bignums) and floats.  So this behavior is expected and not a bug.


----------------------------------------
Bug #11442: Bug: Symbols should be taintable.
https://bugs.ruby-lang.org/issues/11442#change-80674

* Author: gwelch (Grant Welch)
* Status: Closed
* Priority: Normal
* Assignee: matz (Yukihiro Matsumoto)
* Target version: 
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
Subject: String#to_sym returns an untainted Symbol.

Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some.

---------------------------------------------------------------

# Proof of Concept:
~~~
# cat untainted_sym.rb

#!/usr/bin/env ruby -w
print 'Enter a string? '
a = gets
puts "a: #{a.inspect}, tainted? #{a.tainted?}"
b = a.to_sym
puts "b: #{b.inspect}, tainted? #{b.tainted?}"
c = b.to_s
puts "c: #{c.inspect}, tainted? #{c.tainted?}"
puts "a == c: #{a == c}"
~~~

# Output:

~~~
$ ruby -w untainted_sym.rb
Enter a string? foobar
a: "foobar\n", tainted? true
b: :"foobar\n", tainted? false
c: "foobar\n", tainted? false
a == c: true
~~~

# Sample Workaround: (to provide the expected SecurityError)

~~~
# safe_level, 1 or 2
# uncertain_var, some variable that could, potentially, be tainted
untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call   # => Symbol for untainted var, SecurityError for tainted var
~~~

# Versions Tested:
* ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
* ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux]
* ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]
* ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]




-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>