Bug #11442
Updated by gwelch (Grant Welch) over 9 years ago
Subject: String#to_sym returns an untainted Symbol. Taint checking can be subverted by a String if a tainted String is converted to a Symbol. After experiencing this issue, I went looking for unit tests in ruby/ruby, ruby/mspec, and ruby/rubyspec, but was unable to come up with any tests that focus on $SAFE. If they exist, could you point out where they are located? If not, I'd be willing to write some. --------------------------------------------------------------- # Proof #Proof of Concept: ~~~ # cat untainted_sym.rb #!/usr/bin/env ruby -w print 'Enter a string? ' a = gets puts "a: #{a.inspect}, tainted? #{a.tainted?}" b = a.to_sym puts "b: #{b.inspect}, tainted? #{b.tainted?}" c = b.to_s puts "c: #{c.inspect}, tainted? #{c.tainted?}" puts "a == c: #{a == c}" ~~~ # Output: #Output: ~~~ $ ruby -w untainted_sym.rb Enter a string? foobar a: "foobar\n", tainted? true b: :"foobar\n", tainted? false c: "foobar\n", tainted? false a == c: true ~~~ # Sample #Sample Workaround: (to provide the expected SecurityError) ~~~ # safe_level, 1 or 2 # uncertain_var, some variable that could, potentially, be tainted untainted_sym = proc { $SAFE=safe_level; eval("'#{uncertain_var}'") && uncertain_var.to_sym}.call # => Symbol for untainted var, SecurityError for tainted var ~~~ # Versions #Versions Tested: * ruby 1.9.3p551 (2014-11-13 revision 48407) [x86_64-linux] * ruby 2.0.0p645 (2015-04-13 revision 50299) [x86_64-linux] * ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux] * ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]