Forum: Ruby SecurityError requiring gems and other files with $SAFE=1 in Ruby 1.9.1

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Phil R. (Guest)
on 2009-04-15 23:06
(Received via mailing list)
I'm using my own compiled version of Ruby 1.9.1p0 on Debian etch. With
$SAFE=1, I get the following error trying to require gems (in this
example Rake, but I get the same error with other gems):

 >> $SAFE=1
=> 1
 >> require 'rake'
SecurityError: Insecure operation - require
         from (irb):2:in `require'
         from (irb):2
         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

The Rake gem is installed in the usual place:

 >> $:.find {|s| s =~ /rake/}
=> "/usr/local/ruby/1.9.1-p0/lib/ruby/gems/1.9.1/gems/rake-0.8.4/bin"

I get the same error trying to load an arbitrary file:

 >> $SAFE=1
=> 1
 >> require 'testing'
SecurityError: Insecure operation - require
         from (irb):2:in `require'
         from (irb):2
         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

I've just tried with the latest Ruby snapshot version and this has the
same issues, albeit with a (slightly) more helpful error message:

 >> $SAFE=1
=> 1
 >> require 'rake'
SecurityError: cannot load from insecure path -
/usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
         from (irb):2:in `require'
         from (irb):2
         from /usr/local/ruby/snapshot/bin/irb:12:in `<main>'

Could anyone tell me if this is the expected behaviour of Ruby 1.9? I
couldn't find any information about safe mode that would suggest these
SecurityErrors should be raised?

Thanks,

Phil
Phil R. (Guest)
on 2009-04-15 23:20
(Received via mailing list)
Philip R. wrote:
> I get the following error trying to require gems (in this
> example Rake, but I get the same error with other gems):
>
>  >> $SAFE=1
> => 1
>  >> require 'rake'
> SecurityError: Insecure operation - require
>         from (irb):2:in `require'
>         from (irb):2
>         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

I've now found that if I bypass RubyGems and require rake manually using
its full path, I don't get the SecurityError.

 >> $SAFE=1
=> 1
 >> require
'/usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake'
=> true

> I get the same error trying to load an arbitrary file:
>
>  >> $SAFE=1
> => 1
>  >> require 'testing'
> SecurityError: Insecure operation - require
>         from (irb):2:in `require'
>         from (irb):2
>         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

The same is true requiring arbitrary files - if I use the full path
rather than relying on the load paths, I don't get the security error:

 >> $SAFE=1
=> 1
 >> require '/home/testuser/testing.rb'
=> true

Should Ruby 1.9 behave the same when requiring files using a full path
than when relying on the load paths?

Regards,

Phil
Eric H. (Guest)
on 2009-04-16 01:21
(Received via mailing list)
On Apr 15, 2009, at 12:05, Philip R. wrote:

>        from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
> >> require 'testing'
> >> require 'rake'
> SecurityError: cannot load from insecure path - /usr/local/ruby/
> snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
>        from (irb):2:in `require'
>        from (irb):2
>        from /usr/local/ruby/snapshot/bin/irb:12:in `<main>'
>
> Could anyone tell me if this is the expected behaviour of Ruby 1.9?
> I couldn't find any information about safe mode that would suggest
> these SecurityErrors should be raised?

This is likely the issue:

$ ruby19 -rpp -e '$SAFE = 1; pp $LOAD_PATH.map { |path| [path,
path.tainted?] }'

Please file a bug.
Phil R. (Guest)
on 2009-04-16 23:56
Eric H. wrote:
> This is likely the issue:
>
> $ ruby19 -rpp -e '$SAFE = 1; pp $LOAD_PATH.map { |path| [path,
> path.tainted?] }'
>
> Please file a bug.

I am seeing that the gem lib paths are tainted, but the current
directory is not. I am seeing the SecurityError requiring files from
gems and from the current directory though.

I've just tried running

$LOAD_PATH.each {|p| p.untaint}

to untaint each entry in the load path. The load path entries all become
untainted, but SecurityErrors are still raised when running require.

Regards,

Phil
This topic is locked and can not be replied to.