What are tainted objects, and when should we untaint them? - McMap

About

What are tainted objects, and when should we untaint them?

Asked 11/1, 2013 at 15:13 Answered 11/1, 2013 at 15:33

Solved ruby ruby-1.9 taint taint-checking

O

1

20

When do Ruby objects need to be made tainted and when should we untaint them? How does the concept of tainted object make a Ruby script run in safe mode? Can anyone elaborate on this to make the concept clear with some code snippets?

Oniskey answered 11/1, 2013 at 15:13 Comment(2)

Related answer, but not a duplicate question: https://mcmap.net/q/663932/-can-one-use-ruby-safe-level-against-exploits-of-rails-vulnerabilities – Frampton 11/1, 2013 at 15:17

Can a bit focus on to the question How does the concept of tainted object make a Ruby script run in safe mode?? – Oniskey 11/1, 2013 at 15:49

F

22

What is Tainted?

User input is tainted, by definition. For example:

string = gets
string.tainted?
# => true

You can also manually taint an object.

string = 'Not yet tainted.'
string.tainted?
# => false

(string = 'Explicitly taint me!').taint
string.tainted?
# => true

Why Untaint an Object?

Generally, you would untaint an object only after you validate and/or sanitize it. Untainting an object marks it as "safe" for certain operations that you wouldn't want to run on untrusted strings or other objects, or when your safe level requires an untainted object to perform the desired operation.

Untainting an Object

The easiest way to untaint an object is to call the Object#untaint method on it. For example, if your string variable holds a tainted object, then:

(string = "Let's taint this string!").taint
string.untaint.tainted?
# => false

More About Tainted Objects

You can find out more about tainted objects from the Locking Ruby in the Safe chapter of Programming Ruby.

Frampton answered 11/1, 2013 at 15:33 Comment(4)

Perfect explanation! +1 to you! but How does the concept of tainted object make a Ruby script run in safe mode? any suggestions on this question? – Oniskey 11/1, 2013 at 15:36

@PythonLikeYOU I updated the answer to reflect when you might want to untaint an object. By itself, (un)tainting doesn't do anything except change a flag on your object. It really only matters when you're concerned about the safety of your inputs (e.g. SQL injection or #eval methods), or when $SAFE >= 1. – Frampton 11/1, 2013 at 15:41

has my above asked question(in comment) also answered? I am just wandering in your post! – Oniskey 11/1, 2013 at 16:5

What does "safe" for certain operations mean? which operations are being referred to here? – Clementeclementi 28/5, 2016 at 10:20

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.