1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
|
<html><title>Programming Ruby: The Pragmatic Programmer's Guide</title><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><STYLE TYPE="text/css"><!--
BODY { margin-left: 1in;
width: 6in;
font-family: helvetica, arial, sans-serif;
}
H1 { color: #000080;
font-family: helvetica, arial, sans-serif;
font-size: 22pt;
margin-left: 0in
}
H2 { color: #000080; font: bold x-large helvetica, sans-serif;
margin-left: 0in }
H3 { color: #000080; font: bold large helvetica, sans-serif; }
H4 { color: #000080; font: italic large helvetica, sans-serif; }
.ruby { background: #fff0f0 }
.header { color: white }
.subheader { color: #ffdddd }
.sidebar { width: 6in }
span.sans { font-family: helvetica, arial, sans-serif }
-->
</STYLE><table bgcolor="#a03030" cellpadding="3" border="0" cellspacing="0"><tr><td colspan="3"><table bgcolor="#902020" cellpadding="20"><tr><td><h1 class="header">Programming Ruby</h1><h3 class="subheader">The Pragmatic Programmer's Guide</h3></td></tr></table></td></tr><tr><td width="33%" align="left"><a class="subheader" href="classes.html">Previous <</a></td><td width="33%" align="center" valign="middle"><a class="subheader" href="index.html">Contents ^</a><br></td><td width="33%" align="right"><a class="subheader" href="ospace.html">Next ></a><br></td></tr></table></head><body bgcolor="white">
<!--
Copyright (c) 2001 by Addison Wesley Longman. This
material may be distributed only subject to the terms and
conditions set forth in the Open Publication License, v1.0 or
later (the latest version is presently available at
http://www.opencontent.org/openpub/).
-->
<h1>Locking Ruby in the Safe</h1><hr><br>
<P></P>
Walter Webcoder has a great idea for a portal site: The Web Arithmetic
Page. Surrounded by all sorts of cool mathematical links and banner
ads that will make him rich is a simple central frame, containing a
text field and a button. Users type an arithmetic expression into the
field, press the button, and the answer is displayed. All the world's
calculators become obsolete overnight, and Walter cashes in and retires to
devote his life to his collection of car license plate numbers.
<P></P>
Implementing the calculator is easy, thinks Walter. He accesses the
contents of the form field using Ruby's CGI library, and uses
the <code>eval</code> method to evaluate the string as an expression.
<P></P>
<table bgcolor="#fff0f0" cellspacing="0" border="0" cellpadding="3" width="400"><tr><td><pre>
require 'cgi'
<P></P>
cgi = CGI::new("html4")
<P></P>
# Fetch the value of the form field "expression"
expr = cgi["expression"].to_s
<P></P>
begin
result = eval(expr)
rescue Exception => detail
# handle bad expressions
end
<P></P>
# display result back to user...
</pre></td></tr></table>
<P></P>
Roughly seven seconds after Walter puts the application online, a
twelve-year-old from Waxahachie with glandular problems and no real
life types ``<code>system("rm *")</code>'' into the form and, like his
application, Walter's dreams come tumbling down.
<P></P>
Walter learned an important lesson: <em>All external data is
dangerous. Don't let it close to interfaces that can modify your
system.</em> In this case, the content of the form field was the
external data, and the call to <code>eval</code> was the security breach.
<P></P>
Fortunately, Ruby provides support for reducing this risk. All
information from the outside world can be marked as
<em>tainted</em>. When running in a safe mode, potentially dangerous
methods will raise a <code>SecurityError</code> if passed a tainted object.
<h2>Safe Levels</h2>
<P></P>
The variable <code>$SAFE</code> determines Ruby's level of paranoia.
Table 20.1 on page 261 gives details of the checks performed at
each safe level.
<P></P>
<table bgcolor="#fff0f0" cellspacing="0" border="0" cellpadding="3">
<tr bgcolor="#ff9999">
<td valign="top"><b>$SAFE</b></td>
<td valign="top"><b>Constraints</b></td>
</tr>
<tr>
<td valign="top">0</td>
<td valign="top">No checking of the use of externally supplied (tainted) data is
performed. This is Ruby's default mode.</td>
</tr>
<tr>
<td valign="top">>= 1</td>
<td valign="top">Ruby disallows the use of tainted data by potentially
dangerous operations.</td>
</tr>
<tr>
<td valign="top">>= 2</td>
<td valign="top">Ruby prohibits the loading of program files from globally
writable locations.</td>
</tr>
<tr>
<td valign="top">>= 3</td>
<td valign="top">All newly created objects are considered tainted.</td>
</tr>
<tr>
<td valign="top">>= 4</td>
<td valign="top">Ruby effectively partitions the running program in two. Nontainted
objects may not be modified. Typically, this will be used to create a
sandbox: the program sets up an environment using a lower
<code>$SAFE</code> level, then resets <code>$SAFE</code> to 4 to prevent
subsequent changes to that environment.</td>
</tr>
<tr><td colspan="9" bgcolor="#ff9999" height="2"><img src="dot.gif" width="1" height="1"></td></tr></table>
<P></P>
The default value of <code>$SAFE</code> is zero under most circumstances.
However, if a Ruby script is run <em>setuid</em> or
<em>setgid</em>,<em>[A Unix script may be flagged to be run under a
different user or group id than the person running it. This allows
the script to have privileges that the user does not have; the
script can access resources that the user would otherwise be
prohibited from using.
These scripts are called <em>setuid</em> or <em>setgid</em>.]</em>
its safe
level is automatically set to 1. The safe level may also be set
using the <code>-T</code>
command-line option, and by assigning to
<code>$SAFE</code> within the program. It is not possible to lower the value
of <code>$SAFE</code> by assignment.
<P></P>
The current value of <code>$SAFE</code> is inherited when new threads are
created. However, within each thread, the value of <code>$SAFE</code> may be
changed without affecting the value in other threads. This facility
may be used to implement secure ``sandboxes,'' areas where external
code may run safely without risking the rest of your application or
system. Do this by wrapping code that you load from a
file in its own, anonymous module.
This will protect your
program's namespace from any unintended alteration.
<P></P>
<table bgcolor="#fff0f0" cellspacing="0" border="0" cellpadding="3" width="400"><tr><td><pre>
f=open(fileName,"w")
f.print ... # write untrusted program into file.
f.close
Thread.start {
$SAFE = 4
load(fileName, true)
}
</pre></td></tr></table>
<P></P>
With a <code>$SAFE</code> level of 4, you can load <em>only</em> wrapped files.
See <a href="ref_m_kernel.html#load"><code>Kernel::load</code></a> on page 422 for details.
<h2>Tainted Objects</h2>
<P></P>
Any Ruby object derived from some external source (for example, a
string read from a file, or an environment variable) is automatically
marked as being tainted. If your program uses a tainted object to
derive a new object, then that new object will also be tainted, as
shown in the code below. Any
object with external data somewhere in its past will be tainted. This
tainting process is performed regardless of the current safe level. You
can inspect the tainted status of an object using
<a href="ref_c_object.html#tainted_qm"><code>Object#tainted?</code></a>.
<P></P>
<table bgcolor="#fff0f0" cellspacing="0" border="0" cellpadding="3">
<tr>
<td valign="top">
<table bgcolor="#fff0f0" cellspacing="0" border="0" cellpadding="3" width="500">
<tr>
<td colspan="3" valign="top"><code># internal data</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code># =============</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code>x1 = "a string"</code></td>
</tr>
<tr>
<td valign="top"><code>x1.tainted?</code></td>
<td valign="top"></td>
<td valign="top"><code>false</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code></code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code>x2 = x1[2, 4]</code></td>
</tr>
<tr>
<td valign="top"><code>x2.tainted?</code></td>
<td valign="top"></td>
<td valign="top"><code>false</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code></code></td>
</tr>
<tr>
<td valign="top"><code>x1 =~ /([a-z])/</code></td>
<td valign="top"></td>
<td valign="top"><code>0</code></td>
</tr>
<tr>
<td valign="top"><code>$1.tainted?</code></td>
<td valign="top"></td>
<td valign="top"><code>false</code></td>
</tr>
</table>
<P></P>
</td>
<td width="5"></td><td bgcolor="#ffaaaa" width="2"><img src="dot.gif" width="1" height="1"></td><td width="5"></td>
<td valign="top">
<table bgcolor="#fff0f0" cellspacing="0" border="0" cellpadding="3" width="500">
<tr>
<td colspan="3" valign="top"><code># external data</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code># =============</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code>y1 = ENV["HOME"]</code></td>
</tr>
<tr>
<td valign="top"><code>y1.tainted?</code></td>
<td valign="top"></td>
<td valign="top"><code>true</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code></code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code>y2 = y1[2, 4]</code></td>
</tr>
<tr>
<td valign="top"><code>y2.tainted?</code></td>
<td valign="top"></td>
<td valign="top"><code>true</code></td>
</tr>
<tr>
<td colspan="3" valign="top"><code></code></td>
</tr>
<tr>
<td valign="top"><code>y1 =~ /([a-z])/</code></td>
<td valign="top"></td>
<td valign="top"><code>1</code></td>
</tr>
<tr>
<td valign="top"><code>$1.tainted?</code></td>
<td valign="top"></td>
<td valign="top"><code>true</code></td>
</tr>
</table>
<P></P>
</td>
</tr>
</table>
<P></P>
You can force any object to become tainted by invoking its
<code>taint</code> method. If the safe level is less than 3, you can
remove the taint from an object by invoking
<code>untaint</code>.<em>[There are also some devious ways of doing
this without using <code>untaint</code>. We'll leave it up to your
darker side to find them.]</em> This is clearly not something to do
lightly.
<P></P>
Clearly, Walter should have run his CGI script at a safe level of
1. This would have raised an exception when the program tried to
pass form data to <code>eval</code>. Once this had happened, Walter would
have had
a number of choices. He could have chosen to implement a proper expression
parser, bypassing the risks inherent in using <code>eval</code>. However,
being lazy, it's more likely he'd have performed some simple sanity check on
the form data, and untaint it if it looked innocuous.
<P></P>
<table bgcolor="#fff0f0" cellspacing="0" border="0" cellpadding="3" width="400"><tr><td><pre>
require 'cgi';
<P></P>
$SAFE = 1
<P></P>
cgi = CGI::new("html4")
<P></P>
expr = cgi["field"].to_s
<P></P>
if expr =~ %r{^-+*/\d\seE.()*$}
expr.untaint
result = eval(expr)
# display result back to user...
else
# display error message...
end
</pre></td></tr></table>
<P></P>
Personally, we think Walter's still taking undue risks. We'd probably
prefer to see a real parser here, but implementing one here has
nothing to teach us about tainting, so we'll move on.
<P></P>
And remember---it's a dangerous world out there. Be careful.
<P></P>
<table border="2" width="500" bgcolor="#ffe0e0"><tr><td>
<P></P>
<b>Definition of the safe levels</b>
<dl><dt><code>$SAFE</code> >= 1</dt><dd><ul>
<li> The environment variables <code>RUBYLIB</code> and <code>RUBYOPT</code> are not
processed, and the current directory is not added to the path.
</li><li> The command-line options <code>-e</code>, <code>-i</code>, <code>-I</code>, <code>-r</code>,
<code>-s</code>, <code>-S</code>, and <code>-x</code> are
not allowed.
</li><li> Can't start processes from <code>$PATH</code> if any directory
in it is world-writable.
</li><li> Can't manipulate or chroot to a directory whose name is a tainted string.
</li><li> Can't glob tainted strings.
</li><li> Can't eval tainted strings.
</li><li> Can't load or require a file whose name is a tainted string.
</li><li> Can't manipulate or query the status of a file or pipe whose
name is a tainted string.
</li><li> Can't execute a system command or exec a program from a
tainted string.
</li><li> Can't pass <code>trap</code> a tainted string.
</li></ul>
<P></P>
</dd><dt><code>$SAFE</code> >= 2</dt><dd><ul>
<li> Can't change, make, or remove directories, or use chroot.
</li><li> Can't load a file from a world-writable directory.
</li><li> Can't load a file from a tainted filename starting with ~.
</li><li> Can't use
<a href="ref_c_file.html#chmod"><code>File#chmod</code></a>,
<a href="ref_c_file.html#chown"><code>File#chown</code></a>,
<a href="ref_c_file.html#lstat"><code>File#lstat</code></a>,
<a href="ref_c_file.html#stat"><code>File::stat</code></a>,
<a href="ref_c_file.html#truncate"><code>File#truncate</code></a>,
<a href="ref_c_file.html#umask"><code>File::umask</code></a>,
<a href="ref_c_file.html#flock"><code>File#flock</code></a>,
<a href="ref_c_io.html#ioctl"><code>IO#ioctl</code></a>,
<a href="ref_c_io.html#stat"><code>IO#stat</code></a>,
<a href="ref_m_kernel.html#fork"><code>Kernel#fork</code></a>,
<a href="ref_m_kernel.html#syscall"><code>Kernel#syscall</code></a>,
<a href="ref_m_kernel.html#trap"><code>Kernel#trap</code></a>.
<a href="ref_m_process.html#setpgid"><code>Process::setpgid</code></a>,
<a href="ref_m_process.html#setsid"><code>Process::setsid</code></a>,
<a href="ref_m_process.html#setpriority"><code>Process::setpriority</code></a>, or
<a href="ref_m_process.html#egid_eq"><code>Process::egid=</code></a>.
</li><li> Can't handle signals using <code>trap</code>.
</li></ul>
<P></P>
</dd><dt><code>$SAFE</code> >= 3</dt><dd><ul>
<li> All objects are created tainted.
</li><li> Can't untaint objects.
</li></ul>
<P></P>
</dd><dt><code>$SAFE</code> >= 4</dt><dd><ul>
<li> Can't modify a nontainted array, hash, or string.
</li><li> Can't modify a global variable.
</li><li> Can't access instance variables of nontainted objects.
</li><li> Can't change an environment variable.
</li><li> Can't close or reopen nontainted files.
</li><li> Can't freeze nontainted objects.
</li><li> Can't change visibility of methods (private/public/protected).
</li><li> Can't make an alias in a nontainted class or module.
</li><li> Can't get meta information (such as method or variable lists).
</li><li> Can't define, redefine, remove, or undef a method in a nontainted
class or module.
</li><li> Can't modify <code>Object</code>.
</li><li> Can't remove instance variables or constants from nontainted
objects.
</li><li> Can't manipulate threads, terminate a thread other than the
current, or set <code>abort_on_exception</code>.
</li><li> Can't have thread local variables.
</li><li> Can't raise an exception in a thread with a lower <code>$SAFE</code> value.
</li><li> Can't move threads between ThreadGroups.
</li><li> Can't invoke <code>exit</code>, <code>exit!</code>, or <code>abort</code>.
</li><li> Can load only wrapped files, and can't include modules
in nontainted classes and modules.
</li><li> Can't convert symbol identifiers to object references.
</li><li> Can't write to files or pipes.
</li><li> Can't use <code>autoload</code>.
</li><li> Can't taint objects.
</li></ul>
</dd></dl>
</td></tr></table>
<P></P>
<p></p><hr><table bgcolor="#a03030" cellpadding="10" border="0" cellspacing="0"><tr><td width="33%" align="left"><a class="subheader" href="classes.html">Previous <</a></td><td width="33%" align="center" valign="middle"><a class="subheader" href="index.html">Contents ^</a><br></td><td width="33%" align="right"><a class="subheader" href="ospace.html">Next ></a><br></td></tr></table><p></p><font size="-1">Extracted from the book "Programming Ruby -
The Pragmatic Programmer's Guide"</font><br><font size="-3">
Copyright
©
2000 Addison Wesley Longman, Inc. Released under the terms of the
<a href="http://www.opencontent.org/openpub/">Open Publication License</a> V1.0.
<br>
This reference is available for
<a href="http://www.pragmaticprogrammer.com/ruby/downloads/book.html">download</a>.
</font></body></html>
|
