Subject: String#to_sym returns an untainted Symbol.

Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some.

Proof of Concept:¶

# cat untainted_sym.rb

#!/usr/bin/env ruby -w
print 'Enter a string? '
a = gets
puts "a: #{a.inspect}, tainted? #{a.tainted?}"
b = a.to_sym
puts "b: #{b.inspect}, tainted? #{b.tainted?}"
c = b.to_s
puts "c: #{c.inspect}, tainted? #{c.tainted?}"
puts "a == c: #{a == c}"

Output:¶

$ ruby -w untainted_sym.rb
Enter a string? foobar
a: "foobar\n", tainted? true
b: :"foobar\n", tainted? false
c: "foobar\n", tainted? false
a == c: true

Sample Workaround: (to provide the expected SecurityError)¶

# safe_level, 1 or 2
# uncertain_var, some variable that could, potentially, be tainted
untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call   # => Symbol for untainted var, SecurityError for tainted var

Versions Tested:¶

• ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux]
• ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux]
• ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux]
• ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]