Project

General

Profile

Actions

Feature #19723

closed

[RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method

Added by postmodern (Hal Brodigan) over 1 year ago. Updated over 1 year ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:113864]

Description

Due to Kernel.open() supporting opening pipe-commands (ex: "|command-here...") this has led to multiple 1 security 2 vulnerabilities 3, where malicious user-input eventually is passed to Kernel.open(). One of the code-paths that malicious user-input can reach Kernel.open() is via open-uri's URI.open() method. RuboCop even recommends avoiding using URI.open() in favor of uri = URI.parse(...); uri.open to avoid accidentally opening malicious "|command..." inputs. I propose that URI.open() should not accept pipe-commands, as they are neither URIs nor files. One could even argue that URI.open() should only accept URIs and never fallback to Kernel.open().


Related issues 1 (0 open1 closed)

Related to Ruby master - Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issuesClosedActions
Actions #1

Updated by postmodern (Hal Brodigan) over 1 year ago

  • Tracker changed from Bug to Feature
  • Backport deleted (3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN)

Updated by mdalessio (Mike Dalessio) over 1 year ago

I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from Kernel#open (called by URI.open in the fall-through case).

If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in URI.open.

Updated by postmodern (Hal Brodigan) over 1 year ago

mdalessio (Mike Dalessio) wrote in #note-2:

I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from Kernel#open (called by URI.open in the fall-through case).

If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in URI.open.

This could be done before #19630 by changing URI.open to either fallback to File.open or not fallback to open at all. We could preemptively close this vulnerable code path before Ruby 4.0, since URI.open implies that it opens URIs and only URIs.

Actions #4

Updated by kosaki (Motohiro KOSAKI) over 1 year ago

  • Related to Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issues added

Updated by hsbt (Hiroshi SHIBATA) over 1 year ago

  • Status changed from Open to Closed
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0