$SAFE question


#1

Hello all,

basically I just want to know if the code below is safe.
Assume ‘dangerous.rb’ is provided by someone you don’t know
and is located in a world writeable directory.

The filename is as unsafe as the file itself.

$SAFE = 1
filename = ‘dangerous.rb’.taint # just uploaded from untrusted user

fname = String.new(filename.to_s)
classname = File.basename(fname, ‘.rb’).capitalize
fname.untaint if File.expand_path(fname) =~ %r{^d:/simon/}i
code = IO.read(fname) # reading is safe hopefully

#create a new object from a class definition in dangerous.rb
unsafe_obj = Thread.new do
$SAFE = 4
begin
mod = Module.new
mod.module_eval(code)
mod.const_get(classname).new
rescue Exception => e
Exception.new(e.to_s)
end
end.value
raise unsafe_obj if Exception === unsafe_obj

as long as we do not call methods on unsafe_obj we should be safe,

right?

call a method on the new object

value = Thread.new do
$SAFE = 4
begin
String.new(unsafe_obj.meth.to_s)
rescue Exception => e
Exception.new(e.to_s)
end
end.value
raise value if Exception === value

value.untaint # this should be safe now! (?)
p value

cheers

Simon


#2

On Apr 28, 2006, at 6:07 AM, Kroeger, Simon (ext) wrote:

Hello all,

basically I just want to know if the code below is safe.
Assume ‘dangerous.rb’ is provided by someone you don’t know
and is located in a world writeable directory.

Yes and no. While in C code Ruby’s threads won’t switch, so
malicious code can easily cause your ruby interpreter to become non-
responsive.

echo ‘loop do 50000 ** 50000 end’ | dangerous.rb


Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com