[ruby-talk:02686] Re: Tainting

< ^ > P N |<>|^_>< --- | ~ ...Help
Hi,

In message "[ruby-talk:02674] Tainting"
    on 00/05/09, Dave Thomas <Dave / thomases.com> writes:

|I'm trying to document all the various taint checks in the
|interpreter. So far I have:

...

|Am I missing anything obvious, and does this list make sense?

Here's (imperfect) list.

|$SAFE >= 1
|  * The environment variables RUBYOPT and RUBYLIB are not
|    processed.
|  * The command line options -e, -i, -I, -r, -s, -S, and -x are
|    not allowed.
|  * The current directory is not added to the path.
|  * Processes cannot be exec'd from \CF{\$PATH} if any directory
|    in it is world-writable.

|  \item Can't manipulate a directory whose name is a tainted string.
|  \item Can't glob tainted strings.
|  \item Can't eval tainted strings.
|  \item Can't load or require a file whose name is a tainted string.
|  \item Can't manipulate a file or pipe whose name is a tainted string.
|  \item Can't execute a system command from a tainted string.

   .. And bunch of Check_SafeStr() checks (61 checks in the standard
   distribution).

|$SAFE >= 2
|  * Can't load file in world-writable directory.
|  * Can't load a file from a tainted filename starting with ~.

   * Can't do Dir.chdir.
   * Can't do Dir.chroot.
   * Can't do Dir.mkdir.
   * Can't do Dir.rmdir.
   * Can't get stat of files via stat (FileTest methods).
   * Can't get lstat of files via stat (FileTest methods).
   * Can't get lstat of files via stat (FileTest methods).
   * Can't chmod files.
   * Can't chown files.
   * Can't set umask.
   * Can't truncate files.
   * Can't flock files.
   * Can't do ioctl/fcntl over files.
   * Can't invoke arbitrary system calls by syscall.
   * Can't make child process.
   * Can't setpgid.
   * Can't setsid.
   * Can't setpriority.
   * Can't setegid.
   * Can't send signal to processes by Process.kill.
   * Can't set signal handler by trap.

|$SAFE >= 3
|  * All objects are created tainted.

    * Can't remove taint from object.

|$SAFE >= 4
|  * Can't modify non-tainted array, hash, or string.
|  * Can't modify global variable.
|  * Can't access instance variables of non-tainted objects.
|  * Can't change environment variable.
|  * Can't close or reopen non-tainted files.
|  * Can't freeze non-tainted objects.
|  * Can't get meta information (such as method or variable lists).
|  * Can't define, redefine, remove, undef method in a non-tainted
|    class or module.
|  * Can't remove instance variables or consts from non tainted
|    objects.
|  * Can't set priority of other threads.
|  * Can't have thread local variables.

   * Can't change visibility of methods (private/public/protected).
   * Can't make alias in a non-tainted class or module.
   * Can't terminate interpreter by exit/abort.
   * Can't include module into non-tainted class or module.
   * Can't terminate thread other than the current.
   * Can't set abort_on_exception.
   * Can't raise exception in trusted (has lower $SAFE value) thread.
   * Can't move thread between ThreadGroup by ThreadGroup#add.
   * Can't call _id2ref, which you shouldn't call anyway. ;-)
   * Can't output vid stdio/socket.
   * Can't reopen IO.
   * Can't taint object.
   * Can't declare autoload.


							matz.