Issue #16131 has been updated by jeremyevans0 (Jeremy Evans).


I have added pull requests for all upstream projects.  After some thought, I think many maintainers may consider dropping Ruby <2.7 support not acceptable.  So the pull requests I submitted will continue to work on older Ruby versions.  In cases where `untaint` is used, that means using a conditional, because the calling code may want an untainted string.  In cases where `taint` or `tainted?` is used, those were generally just removed.  While that does change behavior slightly, it is unlikely anyone is relying on things being tainted (they may relying on things not being tainted).

Here are links to all pull requests:

Bundled gems with external upstreams:

* rake: https://github.com/ruby/rake/pull/329

Default gems with external upstreams:

* bundler: https://github.com/bundler/bundler/pull/7385
* rubygems: https://github.com/rubygems/rubygems/pull/2951

Default gems without C extensions:

* fileutils: https://github.com/ruby/fileutils/pull/45
* irb: https://github.com/ruby/irb/pull/30
* reline: https://github.com/ruby/reline/pull/61
* rexml: https://github.com/ruby/rexml/pull/21
* rss: https://github.com/ruby/rss/pull/7
* webrick: https://github.com/ruby/webrick/pull/34

Default gems with C extensions:

* bigdecimal: https://github.com/ruby/bigdecimal/pull/157
* date: https://github.com/ruby/date/pull/14
* dbm: https://github.com/ruby/dbm/pull/4
* etc: https://github.com/ruby/etc/pull/5
* fiddle: https://github.com/ruby/fiddle/pull/21
* gdbm: https://github.com/ruby/gdbm/pull/3
* io-console: https://github.com/ruby/io-console/pull/6
* openssl: https://github.com/ruby/openssl/pull/273
* psych: https://github.com/ruby/psych/pull/419
* stringio: https://github.com/ruby/stringio/pull/6
* strscan: https://github.com/ruby/strscan/pull/11
* zlib: https://github.com/ruby/zlib/pull/9

----------------------------------------
Feature #16131: Remove $SAFE, taint and trust
https://bugs.ruby-lang.org/issues/16131#change-82179

* Author: naruse (Yui NARUSE)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
----------------------------------------
Ruby had Taint checking which is originally introduced in Perl.
https://en.wikipedia.org/wiki/Taint_checking

It was intended to provide a useful tool for handle objects which are come from outside.
Input data is set as tainted by default and call untaint if you checked or filtered the value.
Some people used this feature in the age of CGI.

But these days, no one use the mechanism and input libraries usually doesn't support it.
For example rack, as following shows its input is not tainted and the mechanism is unusable.

```
% cat foo.ru
run ->(env) do
  ['200', {'Content-Type' => 'text/plain'}, ["Is QUERY_STRING tainted?: #{env["QUERY_STRING"].tainted?}"]]
end
% rackup foo.ru
[51724] Puma starting in cluster mode...
[51724] * Version 3.12.1 (ruby 2.6.3-p62), codename: Llamas in Pajamas
[51724] * Min threads: 3, max threads: 3
[51724] * Environment: development
[51724] * Process workers: 1
[51724] * Preloading application
[51724] * Listening on tcp://localhost:9292
[51724] Use Ctrl-C to stop
[51737] + Gemfile in context: /Users/naruse/work/td-cdp-api/Gemfile
[51724] - Worker 0 (pid: 51737) booted, phase: 0
```

```
% curl http://localhost:9292/\?foo=1
Is QUERY_STRING tainted?: false
```

Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem.

On the other hand we experienced multiple vulnerability around $SAFE and taint mechanism.
https://cse.google.com/cse?q=taint&cx=008288045305770251182%3Afvruzsaknew&ie=UTF-8
The cost of maintaining it is expensive.

In conclusion, I think the taint mechanism is too expensive to maintain for the merit of it.
I suggest to remove it.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>