I thought to use the taint/untaint mechanisme included with ruby to
enhance security in zena. I have read that
using taint is not that good for the following reasons:
It’s not working on certain implementations of ruby (JRuby,
IronRuby, …)
It’s a lot of work to make work (lots of tiny taint management code
everywhere)
I think I will just abandon this “taint” idea and continue writing
careful code and tests.
safe_erb uses tainted? to make sure you properly sanitize the various
inputs of your application. You might want to look at it. I prefer to
use it during development and tests to raise exceptions and disable it
in production to avoid any performance penalty or unwanted errors (which
would mean tests are missing, but I prefer rcov to user error reports
helping me get good test coverage ).
I think I will just abandon this “taint” idea and continue writing
careful code and tests.
What do you think ?
safe_erb uses tainted? to make sure you properly sanitize the various
inputs of your application. You might want to look at it.
safe_erb is a nice idea, but it still means you have to untaint each
time you do a sanity check like
return parser_error(“invalid name #{name.inspect}”) unless name =~ /
^[a-zA-Z_]$/
name.untaint # <<< line to add
…
You cannot remove these lines (with some kind of conditional
compilation) in production mode, and you still have to write them…
I’m not sure if it’s worth the effort and performance impact… Hmmm…
IronRuby, …)
inputs of your application. You might want to look at it.
safe_erb is a nice idea, but it still means you have to untaint each
time you do a sanity check like
return parser_error(“invalid name #{name.inspect}”) unless name =~ /
^[a-zA-Z_]$/
name.untaint # <<< line to add
Yes nothing is free.
…
You cannot remove these lines (with some kind of conditional
compilation)
Compilation ?
What you do is simply redefine your sanitizing method (that you should
already have by the way) to untaint in dev mode, no more no less.
safe_erb does it for html_escape, escape_once and strip_tags for
example.
In production there’s zero impact : you original sanitizing methods run
unmodified and you don’t even have to put safe_erb in vendor/plugins
there.