Issue #16131 has been updated by jeremyevans0 (Jeremy Evans).


mame (Yusuke Endoh) wrote:
> > Are we OK with just removing the calls to taint/untaint?
> 
> Each maintainer should determine that.
> 
> This is my personal opinion: In principle, we should be conservative against incompatibility.  But in regard to `$SAFE`, we can be flexible because it seems really rare to be used.
> 
> Anyway, I'd like to keep no warnings in CI even in verbose mode.

I agree with your points. Here is my implementation plan:

* I will submit pull requests upstream to all projects that remove the calls and bump the required ruby version to 2.6.99.

* For upstreams without a maintainer, I will wait one week to allow input from the community, and assuming no input, I will merge the changes.

* If the upstream has a maintainer, and the maintainer requests different behavior, I will work with them to implement their desired behavior.

* If the upstream has a maintainer, and the maintainer doesn't respond in one month, I will merge the changes (assuming I have access to do so).

This plan should ensure that all upstreams are consulted and all maintainers can choose the path they feel is best.  It should also ensure the changes can be merged in time for Ruby 2.7.  Is this plan acceptable?

----------------------------------------
Feature #16131: Remove $SAFE, taint and trust
https://bugs.ruby-lang.org/issues/16131#change-82166

* Author: naruse (Yui NARUSE)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
Ruby had Taint checking which is originally introduced in Perl.
https://en.wikipedia.org/wiki/Taint_checking

It was intended to provide a useful tool for handle objects which are come from outside.
Input data is set as tainted by default and call untaint if you checked or filtered the value.
Some people used this feature in the age of CGI.

But these days, no one use the mechanism and input libraries usually doesn't support it.
For example rack, as following shows its input is not tainted and the mechanism is unusable.

```
% cat foo.ru
run ->(env) do
  ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]]
end
% rackup foo.ru
[51724] Puma starting in cluster mode...
[51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas
[51724] * Min threads: 3, max threads: 3
[51724] * Environment: development
[51724] * Process workers: 1
[51724] * Preloading application
[51724] * Listening on tcp://localhost:9292
[51724] Use Ctrl-C to stop
[51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile
[51724] - Worker 0 (pid: 51737) booted, phase: 0
```

```
% curl http://localhost:9292/\?foo=1
Is QUERY_STRING tainted?: false
```

Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem.

On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism.
https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8
The cost of maintaining it is expensive.

In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it.
I suggest to remove it.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>