Forum: Ruby SecurityError requiring gems and other files with $SAFE=1 in Ruby 1.9.1

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
9ab183bb240ffd3a3966d5a615b4bdeb?d=identicon&s=25 Phil Ross (psross)
on 2009-04-15 21:06
(Received via mailing list)
I'm using my own compiled version of Ruby 1.9.1p0 on Debian etch. With
$SAFE=1, I get the following error trying to require gems (in this
example Rake, but I get the same error with other gems):

 >> $SAFE=1
=> 1
 >> require 'rake'
SecurityError: Insecure operation - require
         from (irb):2:in `require'
         from (irb):2
         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

The Rake gem is installed in the usual place:

 >> $:.find {|s| s =~ /rake/}
=> "/usr/local/ruby/1.9.1-p0/lib/ruby/gems/1.9.1/gems/rake-0.8.4/bin"

I get the same error trying to load an arbitrary file:

 >> $SAFE=1
=> 1
 >> require 'testing'
SecurityError: Insecure operation - require
         from (irb):2:in `require'
         from (irb):2
         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

I've just tried with the latest Ruby snapshot version and this has the
same issues, albeit with a (slightly) more helpful error message:

 >> $SAFE=1
=> 1
 >> require 'rake'
SecurityError: cannot load from insecure path -
/usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
         from (irb):2:in `require'
         from (irb):2
         from /usr/local/ruby/snapshot/bin/irb:12:in `<main>'

Could anyone tell me if this is the expected behaviour of Ruby 1.9? I
couldn't find any information about safe mode that would suggest these
SecurityErrors should be raised?

Thanks,

Phil
9ab183bb240ffd3a3966d5a615b4bdeb?d=identicon&s=25 Phil Ross (psross)
on 2009-04-15 21:20
(Received via mailing list)
Philip Ross wrote:
> I get the following error trying to require gems (in this
> example Rake, but I get the same error with other gems):
>
>  >> $SAFE=1
> => 1
>  >> require 'rake'
> SecurityError: Insecure operation - require
>         from (irb):2:in `require'
>         from (irb):2
>         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

I've now found that if I bypass RubyGems and require rake manually using
its full path, I don't get the SecurityError.

 >> $SAFE=1
=> 1
 >> require
'/usr/local/ruby/snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake'
=> true

> I get the same error trying to load an arbitrary file:
>
>  >> $SAFE=1
> => 1
>  >> require 'testing'
> SecurityError: Insecure operation - require
>         from (irb):2:in `require'
>         from (irb):2
>         from /usr/local/ruby/1.9/bin/irb:12:in `<main>'

The same is true requiring arbitrary files - if I use the full path
rather than relying on the load paths, I don't get the security error:

 >> $SAFE=1
=> 1
 >> require '/home/testuser/testing.rb'
=> true

Should Ruby 1.9 behave the same when requiring files using a full path
than when relying on the load paths?

Regards,

Phil
58479f76374a3ba3c69b9804163f39f4?d=identicon&s=25 Eric Hodel (Guest)
on 2009-04-15 23:21
(Received via mailing list)
On Apr 15, 2009, at 12:05, Philip Ross wrote:

>        from /usr/local/ruby/1.9/bin/irb:12:in `<main>'
> >> require 'testing'
> >> require 'rake'
> SecurityError: cannot load from insecure path - /usr/local/ruby/
> snapshot/lib/ruby/gems/1.9.1/gems/rake-0.8.4/lib/rake.rb
>        from (irb):2:in `require'
>        from (irb):2
>        from /usr/local/ruby/snapshot/bin/irb:12:in `<main>'
>
> Could anyone tell me if this is the expected behaviour of Ruby 1.9?
> I couldn't find any information about safe mode that would suggest
> these SecurityErrors should be raised?

This is likely the issue:

$ ruby19 -rpp -e '$SAFE = 1; pp $LOAD_PATH.map { |path| [path,
path.tainted?] }'

Please file a bug.
9ab183bb240ffd3a3966d5a615b4bdeb?d=identicon&s=25 Phil Ross (psross)
on 2009-04-16 21:56
Eric Hodel wrote:
> This is likely the issue:
>
> $ ruby19 -rpp -e '$SAFE = 1; pp $LOAD_PATH.map { |path| [path,
> path.tainted?] }'
>
> Please file a bug.

I am seeing that the gem lib paths are tainted, but the current
directory is not. I am seeing the SecurityError requiring files from
gems and from the current directory though.

I've just tried running

$LOAD_PATH.each {|p| p.untaint}

to untaint each entry in the load path. The load path entries all become
untainted, but SecurityErrors are still raised when running require.

Regards,

Phil
This topic is locked and can not be replied to.