Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Ruby Programming
Previous Page Home Next Page

Tainted Objects

Any Ruby object derived from some external source (for example, a string read from a file, or an environment variable) is automatically marked as being tainted. If your program uses a tainted object to derive a new object, then that new object will also be tainted, as shown in the code below. Any object with external data somewhere in its past will be tainted. This tainting process is performed regardless of the current safe level. You can inspect the tainted status of an object using Object#tainted? .

# internal data
# =============
x1 = "a string"
x1.tainted? false
x2 = x1[2, 4]
x2.tainted? false
x1 =~ /([a-z])/ 0
$1.tainted? false

# external data
# =============
y1 = ENV["HOME"]
y1.tainted? true
y2 = y1[2, 4]
y2.tainted? true
y1 =~ /([a-z])/ 1
$1.tainted? true

You can force any object to become tainted by invoking its taint method. If the safe level is less than 3, you can remove the taint from an object by invoking untaint.[There are also some devious ways of doing this without using untaint. We'll leave it up to your darker side to find them.] This is clearly not something to do lightly.

Clearly, Walter should have run his CGI script at a safe level of 1. This would have raised an exception when the program tried to pass form data to eval. Once this had happened, Walter would have had a number of choices. He could have chosen to implement a proper expression parser, bypassing the risks inherent in using eval. However, being lazy, it's more likely he'd have performed some simple sanity check on the form data, and untaint it if it looked innocuous.

require 'cgi';

$SAFE = 1

cgi = CGI::new("html4")

expr = cgi["field"].to_s

if expr =~ %r{^-+*/\d\seE.()*$}   expr.untaint   result = eval(expr)   # display result back to user... else   # display error message... end

Personally, we think Walter's still taking undue risks. We'd probably prefer to see a real parser here, but implementing one here has nothing to teach us about tainting, so we'll move on.

And remember---it's a dangerous world out there. Be careful.

Definition of the safe levels
$SAFE >= 1
  • The environment variables RUBYLIB and RUBYOPT are not processed, and the current directory is not added to the path.
  • The command-line options -e, -i, -I, -r, -s, -S, and -x are not allowed.
  • Can't start processes from $PATH if any directory in it is world-writable.
  • Can't manipulate or chroot to a directory whose name is a tainted string.
  • Can't glob tainted strings.
  • Can't eval tainted strings.
  • Can't load or require a file whose name is a tainted string.
  • Can't manipulate or query the status of a file or pipe whose name is a tainted string.
  • Can't execute a system command or exec a program from a tainted string.
  • Can't pass trap a tainted string.

$SAFE >= 2

$SAFE >= 3
  • All objects are created tainted.
  • Can't untaint objects.

$SAFE >= 4
  • Can't modify a nontainted array, hash, or string.
  • Can't modify a global variable.
  • Can't access instance variables of nontainted objects.
  • Can't change an environment variable.
  • Can't close or reopen nontainted files.
  • Can't freeze nontainted objects.
  • Can't change visibility of methods (private/public/protected).
  • Can't make an alias in a nontainted class or module.
  • Can't get meta information (such as method or variable lists).
  • Can't define, redefine, remove, or undef a method in a nontainted class or module.
  • Can't modify Object.
  • Can't remove instance variables or constants from nontainted objects.
  • Can't manipulate threads, terminate a thread other than the current, or set abort_on_exception.
  • Can't have thread local variables.
  • Can't raise an exception in a thread with a lower $SAFE value.
  • Can't move threads between ThreadGroups.
  • Can't invoke exit, exit!, or abort.
  • Can load only wrapped files, and can't include modules in nontainted classes and modules.
  • Can't convert symbol identifiers to object references.
  • Can't write to files or pipes.
  • Can't use autoload.
  • Can't taint objects.

Ruby Programming
Previous Page Home Next Page

  Published under the terms of the Open Publication License Design by Interspire