I've been looking through the new concept of 'trust' in Ruby 1.9, and I'd like to make sure I'm understanding the motivation behind it and the way it should be used. It seems to parallel the concept of 'taintedness.' But whereas taintedness is intended to keep track of incoming data, trust seems to keep track of internal execution. That is, once the safe level has been set to 3, all objects that are subsequently created are by default untrusted. I'm not clear, however, how this can be used in practice. Is it intended to be used in code sandboxes? Dave
on 19.08.2008 15:56
on 19.08.2008 18:41
Hi, 2008/8/19 Dave Thomas <dave@pragprog.com>: > I'm not clear, however, how this can be used in practice. Is it intended to > be used in code sandboxes? Yes, it is. Before the introduction of trust, taintedness denoted two different statuses. (1) input data from outside a program (2) objects created by untrusted code (objects created at safe level 3 or 4) At safe level 4, modifications of tainted objects are allowed, but it's not indented to allow modifications of (1) input data from outside a program. For example, the following code allows a modification of $PROGRAM_NAME unexpectedly. lambda { $SAFE = 4 $PROGRAM_NAME.replace("Hello, World!") }.call puts $PROGRAM_NAME So we decided to seperate two different meanings of taintedness to avoid this problem. In trunk, (2) objects created by untrusted code are tainted and untrusted, and modificaions of trusted objects are not allowed at safe level 4.
on 19.08.2008 19:41
On Aug 19, 2008, at 11:38 AM, Shugo Maeda wrote: > > In trunk, (2) objects created by untrusted code are tainted and > untrusted, > and modificaions of trusted objects are not allowed at safe level 4. Shugo: Thanks for the explanation. What does it mean when you say "objects created by untrusted code are tainted and untrusted?" I tried: dave[RUBY3/Book 11:04:03*] irb irb(main):001:0> class Dave;end => nil irb(main):002:0> Dave.untrust => Dave irb(main):003:0> d = Dave.new => #<Dave:0x108cf4> irb(main):004:0> d.untrusted? => false irb(main):005:0> d.tainted? => false Is there an example of a sandbox that uses trust? Dave
on 20.08.2008 10:00
Hi, 2008/8/20 Dave Thomas <dave@pragprog.com>: > Thanks for the explanation. What does it mean when you say "objects created > by untrusted code are tainted and untrusted?" I tried: It means objects created at safe level 4. For example. irb(main):001:0> x = lambda { $SAFE=4; Object.new}.call => #<Object:0x83d1c58> irb(main):002:0> x.tainted? => true irb(main):003:0> x.untrusted? => true > Is there an example of a sandbox that uses trust? At safe level 4, only objects created at safe level 4 or marked as untrusted manually are modifiable. irb(main):001:0> p lambda { $SAFE=4; s = ""; s << "xxx"; s }.call "xxx" => "xxx" irb(main):002:0> $s = "" => "" irb(main):003:0> p lambda { $SAFE=4; $s << "xxx"; $s }.call SecurityError: Insecure: can't modify string from (irb):3:in `block (8 levels) in irb_binding' from (irb):3:in `call' from (irb):3 from /home/shugo/local/bin/irb-trunk:12:in `<main>' irb(main):004:0> $s.taint => "" irb(main):005:0> p lambda { $SAFE=4; $s << "xxx"; $s }.call SecurityError: Insecure: can't modify string from (irb):5:in `block (11 levels) in irb_binding' from (irb):5:in `call' from (irb):5 from /home/shugo/local/bin/irb-trunk:12:in `<main>' irb(main):006:0> $s.untrust => "" irb(main):007:0> p lambda { $SAFE=4; $s << "xxx"; $s }.call "xxx" => "xxx"