Feature #19723
closed[RFC] Deprecate/disallow passing `"|command..." values to open-uri's URI.open() method
Description
Due to Kernel.open()
supporting opening pipe-commands (ex: "|command-here..."
) this has led to multiple 1 security 2 vulnerabilities 3, where malicious user-input eventually is passed to Kernel.open()
. One of the code-paths that malicious user-input can reach Kernel.open()
is via open-uri's URI.open()
method. RuboCop even recommends avoiding using URI.open()
in favor of uri = URI.parse(...); uri.open
to avoid accidentally opening malicious "|command..."
inputs. I propose that URI.open()
should not accept pipe-commands, as they are neither URIs nor files. One could even argue that URI.open()
should only accept URIs and never fallback to Kernel.open()
.
Updated by postmodern (Hal Brodigan) over 1 year ago
- Tracker changed from Bug to Feature
- Backport deleted (
3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN)
Updated by mdalessio (Mike Dalessio) over 1 year ago
I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from Kernel#open
(called by URI.open
in the fall-through case).
If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in URI.open
.
Updated by postmodern (Hal Brodigan) over 1 year ago
mdalessio (Mike Dalessio) wrote in #note-2:
I think we should merge this discussion into #19630 since the behavior you wish to deprecate comes from
Kernel#open
(called byURI.open
in the fall-through case).If #19630 is accepted, the naive implementation proposed at https://github.com/ruby/ruby/pull/7915 would also deprecate this behavior in
URI.open
.
This could be done before #19630 by changing URI.open
to either fallback to File.open
or not fallback to open
at all. We could preemptively close this vulnerable code path before Ruby 4.0, since URI.open
implies that it opens URIs and only URIs.
Updated by kosaki (Motohiro KOSAKI) over 1 year ago
- Related to Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issues added
Updated by hsbt (Hiroshi SHIBATA) over 1 year ago
- Status changed from Open to Closed
@akr (Akira Tanaka) and @matz (Yukihiro Matsumoto) accepted this deprecation at Misc #19722: DevMeeting-2023-07-13
I'll merge this into https://bugs.ruby-lang.org/issues/19630