Various Topics on Ruby

..n.. ..wren..

Hi,

I was wondering if there was a full-featured untaint() method available
for Ruby. We're ***uming the built-in untaint() methods simply remove
the flag rather than modify the string.

We're thinking about converting this perl module to Ruby if there's
nothing available:

http://www.dartmouth.edu/web/cgi/untaint.pm.txt

Thanks.

.... ..d..

--ncSAzJYg3Aa9+CRW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Randy Lawrence (jm@zzzzzzzzzzzz.com) wrote:

> Hi,
>=20
> I was wondering if there was a full-featured untaint() method available=
=20
> for Ruby. We're ***uming the built-in untaint() methods simply remove=20
> the flag rather than modify the string.

Note that any object in ruby can be tainted. When combined with setting
$SAFE to a level that always creates tainted objects you can easily
create a "suspect" object for processing that will be safely handled in
your application.

--=20
Eric Hodel - drbrain@segment7.net - http://segment7.net
All messages signed with fingerprint:
FEC2 57F1 D465 EB15 5D6E 7C11 332A 551C 796C 9F04


--ncSAzJYg3Aa9+CRW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQFA11ptMypVHHlsnwQRApuZAKDbj4uFqN+k7lHwQVdjag C4qKMKfwCgmlcd
3WmT+l6h2ZLqzXMzm1pffVE=
=ao3t
-----END PGP SIGNATURE-----

--ncSAzJYg3Aa9+CRW--

..n.. ..wren..

Eric Hodel wrote:

> Randy Lawrence (jm@zzzzzzzzzzzz.com) wrote:
>
>
>>Hi,
>>
>>I was wondering if there was a full-featured untaint() method available
>>for Ruby. We're ***uming the built-in untaint() methods simply remove
>>the flag rather than modify the string.
>
>
> Note that any object in ruby can be tainted. When combined with setting
> $SAFE to a level that always creates tainted objects you can easily
> create a "suspect" object for processing that will be safely handled in
> your application.
>

We're using a default $SAFE level of 2.

What we'd like to find out is if there is a ruby cl*** or method that
will fully parse+modify+untaint (rather than simply removing the taint
flag) of:

1. strings potentially utilized as part of a shell command
(prevent shell command injection)

2. strings potentially utilized as part of sql statements
(prevent sql injection)

3. strings potentially utilized as part of html do***ents
(prevent cross-site scripting)

and so on...

Surely this functionality is REQUIRED by anyone using ruby to generate
html or constructing sql statements using any potentially tainted data.

All the productivity gains possible by superior language elegance is
lost if the wheels have to keep being reinvented. IMHO, this is a wheel.

..dre.. ..hwa..

Randy Lawrence wrote:
> What we'd like to find out is if there is a ruby cl*** or method that
> will fully parse+modify+untaint (rather than simply removing the taint
> flag) of:
>
> 1. strings potentially utilized as part of a shell command
> (prevent shell command injection)
>
> 2. strings potentially utilized as part of sql statements
> (prevent sql injection)
>
> 3. strings potentially utilized as part of html do***ents
^^^^^^^^^^^

Do you want to escape all the characters that are dangerous for Shell,
SQL _and_ HTML "just in case"? That's pretty useless IMO; the template
engine is responsible for HTML, the database lib for SQL, and Shell is
used so rarely that you can do it by hand.

..brie.. ..n..

il Mon, 21 Jun 2004 21:49:45 GMT, Randy Lawrence <jm@zzzzzzzzzzzz.com>
ha scritto::

>Hi,
>
>I was wondering if there was a full-featured untaint() method available
>for Ruby. We're ***uming the built-in untaint() methods simply remove
>the flag rather than modify the string.

for the SQL atuff it's up to the DBMS drivers to provide a quote()
method. I'd agree a similar method for shell stuff be useful.