【问题标题】:ruby1.9, rails & $SAFE=1ruby1.9, 轨道 & $SAFE=1
【发布时间】:2010-10-06 15:07:34
【问题描述】:

尝试使用 $SAFE=1(只是想在 drb 服务器中进行一些处理)会使 rails 无法使用:它无法加载某些路径、从数据库中恢复的数据被污染等等。例如:

rails console
Loading development environment (Rails 3.0.0)
ruby-1.9.2-p0 > $SAFE=1; User.first
SecurityError: Insecure operation - file?
    from .rvm/gems/ruby-1.9.2-p0/gems/activesupport-3.0.0/lib/active_support/dependencies.rb:408:in `file?'

只是无法加载 user.rb 文件

如果我尝试在设置路径之前执行 User.first(因此文件已经加载)它可以工作,但它会无法获取其他数据,因为来自 activerecord 的一些数据似乎被污染了。像这样的错误:

trace: .rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `BigDecimal'
.rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `to_d'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:166:in `value_to_decimal'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:77:in `type_cast'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:114:in `extract_default'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:52:in `extract_default'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/abstract/schema_definitions.rb:34:in `initialize'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `new'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `block in columns'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `each'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/connection_adapters/mysql_adapter.rb:439:in `columns'
.rvm/gems/ruby-1.9.2-p0/gems/arel-1.0.1/lib/arel/engines/sql/relations/table.rb:78:in `columns'
.rvm/gems/ruby-1.9.2-p0/gems/arel-1.0.1/lib/arel/engines/sql/relations/table.rb:64:in `attributes'
.rvm/gems/ruby-1.9.2-p0/gems/arel-1.0.1/lib/arel/algebra/relations/relation.rb:177:in `[]'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation.rb:312:in `primary_key'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation/finder_methods.rb:291:in `find_one'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation/finder_methods.rb:281:in `find_with_ids'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/relation/finder_methods.rb:107:in `find'
.rvm/gems/ruby-1.9.2-p0/gems/activerecord-3.0.0/lib/active_record/base.rb:439:in `find'

这个错误可能是手动造成的:

rails console
Loading development environment (Rails 3.0.0)
ruby-1.9.2-p0 > $SAFE=1
 => 1 
ruby-1.9.2-p0 > a = "1"
 => "1" 
ruby-1.9.2-p0 > a.to_d
 => #<BigDecimal:3adca98,'0.1E1',9(18)> 
ruby-1.9.2-p0 > a.taint
 => "1" 
ruby-1.9.2-p0 > a.to_d
SecurityError: Insecure operation - BigDecimal
    from .rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `BigDecimal'
    from .rvm/rubies/ruby-1.9.2-p0/lib/ruby/1.9.1/bigdecimal/util.rb:26:in `to_d'
    from (irb):6
    from .rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands/console.rb:44:in `start'
    from .rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands/console.rb:8:in `start'
    from .rvm/gems/ruby-1.9.2-p0/gems/railties-3.0.0/lib/rails/commands.rb:23:in `<top (required)>'
    from <internal:lib/rubygems/custom_require>:33:in `require'
    from <internal:lib/rubygems/custom_require>:33:in `rescue in require'
    from <internal:lib/rubygems/custom_require>:29:in `require'
    from script/rails:6:in `<main>'
ruby-1.9.2-p0 > 

知道如何同时使用 rails 和 $SAFE=1 吗?

【问题讨论】:

    标签: ruby security ruby-on-rails-3 ruby-1.9


    【解决方案1】:

    据我所知,并没有真正努力让 Rails 以 Ruby 的$SAFE 模式运行。这样做会有很多问题——你必须处理模型和控制器文件的动态加载(和重新加载)、路由(手动清除来自外部世界的数据)等等。

    Rails 核心团队多次表达了他们对 Rails 中支持$SAFE 变量的看法:基本上,归结为:

    • $SAFE 不是绝对的保护——它可能会避免 SQL 注入和类似的攻击,但它不会真正帮助抵御 XSS 攻击、cookie 窃取/嗅探、通常不安全的设计等。
    • $SAFE 支持实施起来相当笨拙,并且会大大减慢整个过程。即使它默认关闭,在任何地方进行额外的.untaint 调用也会产生一些速度损失。

    人们偶尔会在邮件列表中报告一些$SAFE 环境中成功运行 Rails 的各个部分,但通常仅限于诸如 ERB/ERRuby 或其他模板引擎之类的东西。

    【讨论】:

    • 感谢您的回答。我已经决定实现一些自定义通信,因为这种方式看起来不太好。
    猜你喜欢
    • 1970-01-01
    • 2012-02-08
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2012-04-03
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多