https://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112019-08-29T07:15:38ZRuby Issue Tracking SystemRuby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812572019-08-29T07:15:38Znaruse (Yui NARUSE)naruse@airemix.jp
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/15998">Feature #15998</a>: Allow String#-@ to deduplicate tainted string, but return an untainted one</i> added</li></ul> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812592019-08-29T07:16:25Znaruse (Yui NARUSE)naruse@airemix.jp
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/8468">Feature #8468</a>: Remove $SAFE</i> added</li></ul> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812742019-08-29T15:46:11Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>I agree with the removal of <code>$SAFE</code> and the taint tracking. Proposed timeline:</p>
<p>2.7:</p>
<ul>
<li>Remove taint tracking/mechanism.</li>
<li>Non-verbose warning on setting/access of <code>$SAFE</code>
</li>
<li>
<code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code> become no-ops, verbose warning when called</li>
</ul>
<p>3.0:</p>
<ul>
<li>No warning on setting/access of <code>$SAFE</code>, it switches to normal global variable.</li>
</ul>
<p>3.2:</p>
<ul>
<li>
<code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code> non-verbose warning when called</li>
</ul>
<p>3.3:</p>
<ul>
<li>
<code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code> removed</li>
</ul>
<p>The reasoning behind the delayed removal of the <code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code> methods is that most gems want to support all currently supported Ruby versions, and removing these methods soon may make that more difficult.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812752019-08-29T18:49:23Zbyroot (Jean Boussier)byroot@ruby-lang.org
<ul></ul><blockquote>
<p>3.2 <code>taint/trust/untaint/untrust</code> non-verbose warning when called</p>
</blockquote>
<p>Maybe you meant verbose here?</p>
<p>Other than that I agree with the proposed timeline, and as soon as these methods are noop, their cost become mostly null.</p>
<p>Making them noop also allow for easy feature testing: <code>Object.new.taint.tainted? # => wether or not tainting is supported</code>.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812762019-08-29T19:43:06Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>byroot (Jean Boussier) wrote:</p>
<blockquote>
<blockquote>
<p>3.2 <code>taint/trust/untaint/untrust</code> non-verbose warning when called</p>
</blockquote>
<p>Maybe you meant verbose here?</p>
</blockquote>
<p>No. Verbose warning means a warning only printed in verbose mode (<code>ruby -w</code>, or <code>$VERBOSE = true</code>). Non-verbose warning means a warning printed even in regular mode.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812832019-08-30T04:41:56Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul></ul><p>+1 for the removal, and I agree with Jeremy's plan for 2.7 and 3.0.<br>
For 3.2 and 3.3, I think we may keep all the methods as no-op because old not-maintained-well scripts may break, though I'm not so strongly against the removal.<br>
(Anyway, <code>tainted?</code> and <code>trusted?</code> should be also cared.)</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812882019-08-30T08:49:27Zhsbt (Hiroshi SHIBATA)hsbt@ruby-lang.org
<ul></ul><p>I'm also +1 for jeremy's proposal.</p>
<p>I often got the test fails related <code>$SAFE</code> on rubygems. I'm happy to leave them with this proposal.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812922019-08-30T16:19:31ZDan0042 (Daniel DeLorme)
<ul></ul><p>I must admit to using taint sometimes in my code, as a way to keep track of dirty/modified status on an object (mea culpa)</p>
<pre><code class="ruby syntaxhl" data-language="ruby"><span class="nb">hash</span><span class="p">.</span><span class="nf">taint</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="o">=</span> <span class="n">newvalue</span>
<span class="o">...</span>
<span class="n">save</span><span class="p">(</span><span class="nb">hash</span><span class="p">.</span><span class="nf">untaint</span><span class="p">)</span> <span class="k">if</span> <span class="nb">hash</span><span class="p">.</span><span class="nf">tainted?</span>
</code></pre>
<p>It's probably not common at all. Still, I think since tainted state has been there for such a long time we should not introduce backwards incompatibility (making it a no-op) right away in 2.7. Adding a deprecation warning in 2.7 and then making it a no-op in 3 should be the usual way of handling deprecation no? Although removing the interaction with $SAFE seems ok to me even for 2.7.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812932019-08-30T16:57:32ZDan0042 (Daniel DeLorme)
<ul></ul><p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/1604">@jeremyevans0 (Jeremy Evans)</a>, by "no-op" did you mean only in the context of $SAFE mode, or did you mean that <code>tainted?</code> and <code>trusted?</code> would always return false? In the second case I think it's better to just remove the method, at least that's an obvious and easy bug to fix.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812942019-08-30T17:29:55Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>By no-op, I meant they would make no changes and return self. I didn't mention <code>tainted?</code> or <code>trusted?</code> earlier, but I think it may make sense to remove them earlier than <code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code>. Maybe a non-verbose warning stating they always return false in 2.7, and then remove them in 3.0. The reason for the different behavior is that <code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code> are often called by code without caring what they actually do (other than to make the objects work with certain core methods). <code>tainted?</code>/<code>trusted?</code> are only called when the code wants to have different behavior based on the taint flag.</p>
<p>For <code>tainted?</code>/<code>trusted?</code> to work correctly, we would need to continue to support taint tracking at least in some state. We could reduce the scope of the taint flag, though. For example, we could make it so the taint flag is never checked by any core/stdlib code, and never transfered to another object. However calling <code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code> on an object and then calling <code>tainted?</code>/<code>trusted?</code> on the same object will still behave as it does in 2.6. That would allow your abuse of <code>taint</code> for dirty tracking to continue to work in 2.7. If we do that, I think we should still add a non-verbose warning in 2.7 when <code>tainted?</code>/<code>trusted?</code> are called, and remove <code>tainted?</code>/<code>trusted?</code> in 3.0.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=812952019-08-30T17:45:51ZDan0042 (Daniel DeLorme)
<ul></ul><p>jeremyevans0 (Jeremy Evans) wrote:</p>
<blockquote>
<p>For <code>tainted?</code>/<code>trusted?</code> to work correctly, we would need to continue to support taint tracking at least in some state. We could reduce the scope of the taint flag, though. For example, we could make it so the taint flag is never checked by any core/stdlib code, and never transfered to another object. However calling <code>taint</code>/<code>trust</code>/<code>untaint</code>/<code>untrust</code> on an object and then calling <code>tainted?</code>/<code>trusted?</code> on the same object will still behave as it does in 2.6. That would allow your abuse of <code>taint</code> for dirty tracking to continue to work in 2.7. If we do that, I think we should still add a non-verbose warning in 2.7 when <code>tainted?</code>/<code>trusted?</code> are called, and remove <code>tainted?</code>/<code>trusted?</code> in 3.0.</p>
</blockquote>
<p>That sounds good to me. At that point you could even replace the taint/trust bit flags by instance variables.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=813372019-09-02T05:36:16Zko1 (Koichi Sasada)
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/9588">Bug #9588</a>: program name variables tainted</i> added</li></ul> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=813382019-09-02T05:57:37Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul></ul><p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/286">@headius (Charles Nutter)</a> <a class="user active user-mention" href="https://redmine.ruby-lang.org/users/772">@Eregon (Benoit Daloze)</a> <a class="user active user-mention" href="https://redmine.ruby-lang.org/users/293">@brixen (Brian Shirai)</a></p>
<p>Do you have any opinion about this as developers of other Ruby implementations?</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=814482019-09-07T11:40:04ZEregon (Benoit Daloze)
<ul></ul><p>I agree it would be best to remove the implicit taint state, and particularly the interaction with $SAFE.</p>
<p>FWIW, TruffleRuby already prevents setting $SAFE to anything else than 0:<br>
<a href="https://github.com/oracle/truffleruby/blob/master/doc/user/security.md#unimplemented-security-features" class="external">https://github.com/oracle/truffleruby/blob/master/doc/user/security.md#unimplemented-security-features</a></p>
<p>Without $SAFE (which I think most people agree to remove), I think tainting has very few use-cases, which I think doesn't warrant staying a core feature.</p>
<p>Tracking tainting has a performance cost, e.g., String#+ must check if either LHS or RHS is tainted and taint the result in that case.<br>
This can introduce extra polymorphism or branches in code which needs to check for the taint state.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=815962019-09-19T08:00:09Zmatz (Yukihiro Matsumoto)matz@ruby.or.jp
<ul></ul><p>Basically agreed.<br>
My proposal for the schedule:</p>
<p>2.7:</p>
<ul>
<li>Remove taint tracking/mechanism.</li>
<li>Non-verbose warning on setting/access of $SAFE</li>
<li>taint/trust/untaint/untrust become no-ops, verbose warning when called</li>
</ul>
<p>3.0:</p>
<ul>
<li>No warning on setting/access of $SAFE, it switches to normal global variable.</li>
<li>taint/trust/untaint/untrust non-verbose warning when called</li>
</ul>
<p>3.2:</p>
<ul>
<li>taint/trust/untaint/untrust removed</li>
</ul>
<p>But it's not a big issue.</p>
<p>Matz.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=816102019-09-19T13:26:21Zheadius (Charles Nutter)headius@headius.com
<ul></ul><p>I look forward to removing all tainting logic!</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=816402019-09-21T07:17:09Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>I've added a pull request that adds warnings to setting/access of $SAFE, as well as public C function that deal with $SAFE: <a href="https://github.com/ruby/ruby/pull/2476" class="external">https://github.com/ruby/ruby/pull/2476</a></p>
<p>As the taint tracking/mechanism is being removed, I was not sure if we want to keep any other features of $SAFE. The pull request does not keep any features, after it is applied, nothing in the core or stdlib uses $SAFE. I think that is what was desired, but I'm not sure, as the log for the last developer meeting hasn't been released yet.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=817082019-09-25T04:08:09Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>I've expanded my pull request to deprecate taint/trust and related methods with verbose warnings, and make the methods no-ops. I believe this implements matz's plan for Ruby 2.7.</p>
<p>The changes involved removing tainting from all included libraries, which includes libraries such as rubygems, bundler, and json, that may want to support older versions of ruby upstream (and may need to keep taint code to work correctly in older ruby versions). I'm not sure how we want to handle this, and I'm open to ideas.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=819022019-10-04T16:17:46Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>I've rebased my pull request against master and fixed the conflicts (<a href="https://github.com/ruby/ruby/pull/2476" class="external">https://github.com/ruby/ruby/pull/2476</a>). I've also removed mentions of $SAFE and taint from the documentation.</p>
<p>Due to the extent of the changes, I don't want to wait too long before merging this. Otherwise, there will probably be more conflicts to resolve, and increased chance of a untaint/taint call being introduced. Also due to the extent of the changes, another committer should review.</p>
<p>We still need to decide how we want to handle upstreams that want to support older ruby versions. Do we want to just notify upstreams and request that they fix it? Do we want to recommend a specific approach, such as (for rubygems):</p>
<pre><code class="ruby syntaxhl" data-language="ruby"><span class="k">if</span> <span class="no">RUBY_VERSION</span> <span class="o">>=</span> <span class="s1">'2.7'</span>
<span class="k">def</span> <span class="nc">Gem</span><span class="o">.</span><span class="nf">untaint_obj</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span>
<span class="k">end</span>
<span class="k">else</span>
<span class="k">def</span> <span class="nc">Gem</span><span class="o">.</span><span class="nf">untaint_obj</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span>
<span class="n">obj</span><span class="p">.</span><span class="nf">untaint</span>
<span class="k">end</span>
<span class="k">end</span>
</code></pre>
<p>And changing all the calls? Or wrapping all calls in <code>if RUBY_VERSION < '2.7'</code></p>
<p>test-bundled-gems is failing with this patch (a single rake test). I submitted a patch upstream to skip that test on Ruby 2.7+: <a href="https://github.com/ruby/rake/pull/329" class="external">https://github.com/ruby/rake/pull/329</a></p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=821002019-10-17T06:58:58Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul></ul><p>Hi <a class="user active user-mention" href="https://redmine.ruby-lang.org/users/1604">@jeremyevans0 (Jeremy Evans)</a>,</p>
<blockquote>
<p>I've rebased my pull request against master and fixed the conflicts</p>
</blockquote>
<p>Thank you for the great work! I've discussed this issue on the developer meeting, and all agreed with the change.</p>
<blockquote>
<p>We still need to decide how we want to handle upstreams that want to support older ruby versions.</p>
</blockquote>
<p>This should be discussed and agreed with the maintainers for each code (rubygems, bundler, etc). In regard to rubygems and bundler, I hear from <a class="user active user-mention" href="https://redmine.ruby-lang.org/users/572">@hsbt (Hiroshi SHIBATA)</a> that the incompatibility would not matter even if we just remove the code related to <code>$SAFE</code>. (<a class="user active user-mention" href="https://redmine.ruby-lang.org/users/572">@hsbt (Hiroshi SHIBATA)</a>, am I correct?)</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=821102019-10-17T15:52:23Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>The blocker on merging the pull request is that test-bundled-gems is failing due to the <code>rake</code> test failure. <a href="https://github.com/ruby/rake/pull/329" class="external">https://github.com/ruby/rake/pull/329</a> needs to be merged (and I don't have permissions to merge it), and a new rake released and bundled with Ruby.</p>
<p>I checked and Bundler and Rubygems are the only libraries affected that use external upstreams. All other affected libraries (default gems) are under the ruby organization on GitHub. We need to decide how we want to handle these:</p>
<p>Default gems without extensions</p>
<pre><code>fileutils
irb
reline
rexml
rss
webrick
</code></pre>
<p>Default gems with extensions:</p>
<pre><code>bigdecimal
date
dbm
etc
fiddle
gdbm
io-console
openssl
psych
stringio
strscan
zlib
</code></pre>
<p>Are we OK with just removing the calls to taint/untaint? I'm not sure, but I believe that may cause issues when using previous versions of Ruby. The simplest fix here is to set the required ruby version in the related gemspecs to 2.6.99 to allow 2.7.0 preview/beta versions and above to work. That will mean older versions of Ruby cannot install newer versions of the gems. Is that acceptable?</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=821632019-10-18T03:28:55Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul></ul><blockquote>
<p>Are we OK with just removing the calls to taint/untaint?</p>
</blockquote>
<p>Each maintainer should determine that.</p>
<p>This is my personal opinion: In principle, we should be conservative against incompatibility. But in regard to <code>$SAFE</code>, we can be flexible because it seems really rare to be used.</p>
<p>Anyway, I'd like to keep no warnings in CI even in verbose mode.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=821662019-10-18T05:44:29Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>mame (Yusuke Endoh) wrote:</p>
<blockquote>
<blockquote>
<p>Are we OK with just removing the calls to taint/untaint?</p>
</blockquote>
<p>Each maintainer should determine that.</p>
<p>This is my personal opinion: In principle, we should be conservative against incompatibility. But in regard to <code>$SAFE</code>, we can be flexible because it seems really rare to be used.</p>
<p>Anyway, I'd like to keep no warnings in CI even in verbose mode.</p>
</blockquote>
<p>I agree with your points. Here is my implementation plan:</p>
<ul>
<li>
<p>I will submit pull requests upstream to all projects that remove the calls and bump the required ruby version to 2.6.99.</p>
</li>
<li>
<p>For upstreams without a maintainer, I will wait one week to allow input from the community, and assuming no input, I will merge the changes.</p>
</li>
<li>
<p>If the upstream has a maintainer, and the maintainer requests different behavior, I will work with them to implement their desired behavior.</p>
</li>
<li>
<p>If the upstream has a maintainer, and the maintainer doesn't respond in one month, I will merge the changes (assuming I have access to do so).</p>
</li>
</ul>
<p>This plan should ensure that all upstreams are consulted and all maintainers can choose the path they feel is best. It should also ensure the changes can be merged in time for Ruby 2.7. Is this plan acceptable?</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=821792019-10-18T22:26:30Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>I have added pull requests for all upstream projects. After some thought, I think many maintainers may consider dropping Ruby <2.7 support not acceptable. So the pull requests I submitted will continue to work on older Ruby versions. In cases where <code>untaint</code> is used, that means using a conditional, because the calling code may want an untainted string. In cases where <code>taint</code> or <code>tainted?</code> is used, those were generally just removed. While that does change behavior slightly, it is unlikely anyone is relying on things being tainted (they may relying on things not being tainted).</p>
<p>Here are links to all pull requests:</p>
<p>Bundled gems with external upstreams:</p>
<ul>
<li>rake: <a href="https://github.com/ruby/rake/pull/329" class="external">https://github.com/ruby/rake/pull/329</a>
</li>
</ul>
<p>Default gems with external upstreams:</p>
<ul>
<li>bundler: <a href="https://github.com/bundler/bundler/pull/7385" class="external">https://github.com/bundler/bundler/pull/7385</a>
</li>
<li>rubygems: <a href="https://github.com/rubygems/rubygems/pull/2951" class="external">https://github.com/rubygems/rubygems/pull/2951</a>
</li>
</ul>
<p>Default gems without C extensions:</p>
<ul>
<li>fileutils: <a href="https://github.com/ruby/fileutils/pull/45" class="external">https://github.com/ruby/fileutils/pull/45</a>
</li>
<li>irb: <a href="https://github.com/ruby/irb/pull/30" class="external">https://github.com/ruby/irb/pull/30</a>
</li>
<li>reline: <a href="https://github.com/ruby/reline/pull/61" class="external">https://github.com/ruby/reline/pull/61</a>
</li>
<li>rexml: <a href="https://github.com/ruby/rexml/pull/21" class="external">https://github.com/ruby/rexml/pull/21</a>
</li>
<li>rss: <a href="https://github.com/ruby/rss/pull/7" class="external">https://github.com/ruby/rss/pull/7</a>
</li>
<li>webrick: <a href="https://github.com/ruby/webrick/pull/34" class="external">https://github.com/ruby/webrick/pull/34</a>
</li>
</ul>
<p>Default gems with C extensions:</p>
<ul>
<li>bigdecimal: <a href="https://github.com/ruby/bigdecimal/pull/157" class="external">https://github.com/ruby/bigdecimal/pull/157</a>
</li>
<li>date: <a href="https://github.com/ruby/date/pull/14" class="external">https://github.com/ruby/date/pull/14</a>
</li>
<li>dbm: <a href="https://github.com/ruby/dbm/pull/4" class="external">https://github.com/ruby/dbm/pull/4</a>
</li>
<li>etc: <a href="https://github.com/ruby/etc/pull/5" class="external">https://github.com/ruby/etc/pull/5</a>
</li>
<li>fiddle: <a href="https://github.com/ruby/fiddle/pull/21" class="external">https://github.com/ruby/fiddle/pull/21</a>
</li>
<li>gdbm: <a href="https://github.com/ruby/gdbm/pull/3" class="external">https://github.com/ruby/gdbm/pull/3</a>
</li>
<li>io-console: <a href="https://github.com/ruby/io-console/pull/6" class="external">https://github.com/ruby/io-console/pull/6</a>
</li>
<li>openssl: <a href="https://github.com/ruby/openssl/pull/273" class="external">https://github.com/ruby/openssl/pull/273</a>
</li>
<li>psych: <a href="https://github.com/ruby/psych/pull/419" class="external">https://github.com/ruby/psych/pull/419</a>
</li>
<li>stringio: <a href="https://github.com/ruby/stringio/pull/6" class="external">https://github.com/ruby/stringio/pull/6</a>
</li>
<li>strscan: <a href="https://github.com/ruby/strscan/pull/11" class="external">https://github.com/ruby/strscan/pull/11</a>
</li>
<li>zlib: <a href="https://github.com/ruby/zlib/pull/9" class="external">https://github.com/ruby/zlib/pull/9</a>
</li>
</ul> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=823842019-10-30T20:54:35Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>Most of the pull requests to fix taint/$SAFE issues have been merged. These are the remaining ones that haven't been merged yet:</p>
<p>Bundled gems with external upstreams:</p>
<ul>
<li>rake: <a href="https://github.com/ruby/rake/pull/329" class="external">https://github.com/ruby/rake/pull/329</a> (Can one of the rack maintainers merge and bump version?)</li>
</ul>
<p>Default gems without C extensions:</p>
<ul>
<li>irb: <a href="https://github.com/ruby/irb/pull/30" class="external">https://github.com/ruby/irb/pull/30</a>
</li>
<li>reline: <a href="https://github.com/ruby/reline/pull/61" class="external">https://github.com/ruby/reline/pull/61</a>
</li>
</ul>
<p>Default gems with C extensions:</p>
<ul>
<li>bigdecimal: <a href="https://github.com/ruby/bigdecimal/pull/157" class="external">https://github.com/ruby/bigdecimal/pull/157</a>
</li>
<li>psych: <a href="https://github.com/ruby/psych/pull/419" class="external">https://github.com/ruby/psych/pull/419</a>
</li>
</ul> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826172019-11-11T17:14:37Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul></ul><p>Hi <a class="user active user-mention" href="https://redmine.ruby-lang.org/users/1604">@jeremyevans0 (Jeremy Evans)</a> , thank you for your great work.</p>
<p>I might be one lap behind, but as far as I undestand, the taint tracking will be removed in 2.7. However, it looks still enabled:</p>
<pre><code>$ ./miniruby -e '$SAFE=1; File.symlink?("/etc/passwd".taint)'
Traceback (most recent call last):
1: from -e:1:in `<main>'
-e:1:in `symlink?': Insecure operation - symlink? (SecurityError)
</code></pre>
<p>Rubygems removed untaint operations, which leads to <code>Insecure operation - symlink?</code> error in rubygems test suite:</p>
<pre><code> 1) Failure:
TestRequire#test_require_insecure_path [/home/hsbt/chkbuild/tmp/build/20191111T153007Z/ruby/test/ruby/test_require.rb:66]:
Expected "Insecure operation - symlink?" to include "loading from unsafe path".
2) Failure:
TestRequire#test_require_insecure_path_shift_jis [/home/hsbt/chkbuild/tmp/build/20191111T153007Z/ruby/test/ruby/test_require.rb:94]:
Expected "Insecure operation - symlink?" to include "loading from unsafe path".
</code></pre>
<p><a href="https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian8/ruby-master/log/20191111T153007Z.fail.html.gz" class="external">https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian8/ruby-master/log/20191111T153007Z.fail.html.gz</a></p>
<p>Thanks,</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826192019-11-11T17:55:45Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>mame (Yusuke Endoh) wrote:</p>
<blockquote>
<p>Hi <a class="user active user-mention" href="https://redmine.ruby-lang.org/users/1604">@jeremyevans0 (Jeremy Evans)</a> , thank you for your great work.</p>
<p>I might be one lap behind, but as far as I undestand, the taint tracking will be removed in 2.7. However, it looks still enabled:</p>
<pre><code>$ ./miniruby -e '$SAFE=1; File.symlink?("/etc/passwd".taint)'
Traceback (most recent call last):
1: from -e:1:in `<main>'
-e:1:in `symlink?': Insecure operation - symlink? (SecurityError)
</code></pre>
<p>Rubygems removed untaint operations, which leads to <code>Insecure operation - symlink?</code> error in rubygems test suite:</p>
<pre><code> 1) Failure:
TestRequire#test_require_insecure_path [/home/hsbt/chkbuild/tmp/build/20191111T153007Z/ruby/test/ruby/test_require.rb:66]:
Expected "Insecure operation - symlink?" to include "loading from unsafe path".
2) Failure:
TestRequire#test_require_insecure_path_shift_jis [/home/hsbt/chkbuild/tmp/build/20191111T153007Z/ruby/test/ruby/test_require.rb:94]:
Expected "Insecure operation - symlink?" to include "loading from unsafe path".
</code></pre>
<p><a href="https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian8/ruby-master/log/20191111T153007Z.fail.html.gz" class="external">https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian8/ruby-master/log/20191111T153007Z.fail.html.gz</a></p>
<p>Thanks,</p>
</blockquote>
<p>I haven't committed the changes to Ruby core yet. Committing the Ruby core changes first would have broken it as well. I will try to commit the changes later this week. If it cannot wait that long, please let me know, but I'll be traveling and not able to do much for the next ~36 hours.</p>
<p>Unfortunately, there are about 25 separate repositories where changes need to be committed, and for most of those places the changes need to be backwards compatible with earlier versions, which wasn't part of the initial branch prepared. So for each of those repositories, the changes in the initial branch need to be backed out before merging. This is one of the negative aspects of gemifying the standard library and moving each library to its own repository. Additionally, more of the standard library got moved to gems since I prepared the per-gem commits, so I need to recheck all of those libraries and see if they are affected by the taint removal.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826212019-11-11T18:43:30ZDan0042 (Daniel DeLorme)
<ul></ul><p>Wait, I don't understand. You should be able to just leave <code>str.untaint</code> like it is since it's just a no-op in 2.7. Why the version check?</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826232019-11-11T18:56:08Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>Dan0042 (Daniel DeLorme) wrote:</p>
<blockquote>
<p>Wait, I don't understand. You should be able to just leave <code>str.untaint</code> like it is since it's just a no-op in 2.7. Why the version check?</p>
</blockquote>
<p>There is a verbose warning emitted if you call the method in 2.7, so we can't have anything in the core/stdlib calling it.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826252019-11-11T23:42:25Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li></ul><p>Applied in changeset <a class="changeset" title="test/ruby/test_require.rb: Remove the tests of require with $SAFE The taint mechanism is decided..." href="https://redmine.ruby-lang.org/projects/ruby-master/repository/git/revisions/9594f57f3df6c2538f96f018fa5f9a775ac7dde1">git|9594f57f3df6c2538f96f018fa5f9a775ac7dde1</a>.</p>
<hr>
<p>test/ruby/test_require.rb: Remove the tests of require with $SAFE</p>
<p>The taint mechanism is decided to be removed at 2.7. [Feature <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Remove $SAFE, taint and trust (Closed)" href="https://redmine.ruby-lang.org/issues/16131">#16131</a>]<br>
So, this change removes the tests that expects a SecurityError when<br>
requiring a file under $SAFE >= 1.</p>
<p>The reason why they should be removed in advance is because the upstream<br>
of rubygems has already removed a call to "untaint" method, which makes<br>
the tests fail.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826272019-11-11T23:50:52Zmame (Yusuke Endoh)mame@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Closed</i> to <i>Open</i></li></ul><p>Oops, I closed it unintentionally. Reopening.</p>
<p>jeremyevans0 (Jeremy Evans) wrote:</p>
<blockquote>
<p>I haven't committed the changes to Ruby core yet. Committing the Ruby core changes first would have broken it as well. I will try to commit the changes later this week. If it cannot wait that long, please let me know, but I'll be traveling and not able to do much for the next ~36 hours.</p>
</blockquote>
<p>Thanks, I understand! I have removed the failed tests of test/ruby/test_require.rb, which would be eventually removed because they check if "require" raises a SecurityError under $SAFE=1. So, currently there is no test failures.</p>
<p>I checked the status of your PRs:</p>
<ul>
<li>rake: already merged; a new version need to be released</li>
<li>irb: already merged and backported to trunk</li>
<li>reline: already merged and backported to trunk</li>
<li>bigdecimal: already merged; but not backported yet to trunk</li>
<li>psych: already merged; but not backported yet to trunk</li>
</ul>
<p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/572">@hsbt (Hiroshi SHIBATA)</a> said that he will manage rake, bigdecimal, and psych. I hope you will be able to remove $SAFE mechanism when you return home :-) Have a nice travel!</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826312019-11-12T03:50:40Zhsbt (Hiroshi SHIBATA)hsbt@ruby-lang.org
<ul></ul><p>I released Rake 13.0.1 and merged Jeremy's commits related <code>untaint</code> on bigdecimal and psych.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=826912019-11-15T14:57:00Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul></ul><p>I updated <a href="https://github.com/ruby/ruby/pull/2476" class="external">https://github.com/ruby/ruby/pull/2476</a>. There are a couple failing CI tests, both of which appear unrelated:</p>
<ul>
<li><a href="https://ci.appveyor.com/project/ruby/ruby/builds/28875336/job/6udjor0n25yvgaan" class="external">https://ci.appveyor.com/project/ruby/ruby/builds/28875336/job/6udjor0n25yvgaan</a></li>
<li><a href="https://travis-ci.org/ruby/ruby/jobs/612185187?utm_medium=notification&utm_source=github_status" class="external">https://travis-ci.org/ruby/ruby/jobs/612185187?utm_medium=notification&utm_source=github_status</a></li>
</ul>
<p>I had to merge some changes made in separate repositories that had not been merged into ruby yet: rexml, rss, etc, io-console, openssl, strscan</p>
<p>If another developer could review and let me know if it looks OK to merge, I would appreciate it.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=827062019-11-17T23:14:30Zjeremyevans0 (Jeremy Evans)merch-redmine@jeremyevans.net
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li></ul><p>I merged these changes at <a class="changeset" title="Update NEWS for $SAFE/taint changes" href="https://redmine.ruby-lang.org/projects/ruby-master/repository/git/revisions/4c7dc9fbe604cc0c8343b1225c96d4e5219b8147">4c7dc9fbe604cc0c8343b1225c96d4e5219b8147</a> . Still one failing CI test, but the same one that is failing in the master branch for a few days, related to makefile dependencies.</p> Ruby master - Feature #16131: Remove $SAFE, taint and trusthttps://redmine.ruby-lang.org/issues/16131?journal_id=828852019-11-30T09:27:29Zhsbt (Hiroshi SHIBATA)hsbt@ruby-lang.org
<ul></ul><p>I released the new versions: fileutils, webrick, date, dbm, etc, gdbm, stringio, zlib.</p>
<p><a class="user active user-mention" href="https://redmine.ruby-lang.org/users/32">@kou (Kouhei Sutou)</a> rexml, rss, fiddle, strscan<br>
<a class="user active user-mention" href="https://redmine.ruby-lang.org/users/4">@nobu (Nobuyoshi Nakada)</a> io-console</p>
<p>Can you release the new versions contained to drop taint support? and Can you import upstream version to ruby-core repository before Ruby 2.7.0-rc1 release.</p>