Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Allow per-class whitelisting of methods safe to expose through DRb #50

Closed
wants to merge 3 commits into from

3 participants

Mohamed Hafez Urabe, Shyouhei Zachary Scott
Mohamed Hafez

Allows the optional declaration of a whitelist of methods to expose through DRb for any class DRb will be sharing an instance of. (The current behavior of exposing all public methods of a class can leave a pretty scary security hole in some applications)

If drb_safe_methods is used in a class's definition, then any attempt to call a non-whitelisted method on that class through DRb will fail. There is no change to DRb's normal behavior if drb_safe_methods has not been called in a class's definition.

Mohamed Hafez Allows the optional declaration of a whitelist of methods to expose t…
…hrough DRb for any class DRb will be sharing an instance of. (The current behavior of exposing all public methods of a class can leave a pretty scary security hole in some applications)


If drb_safe_methods is used in a class's definition, then any attempt to call a non-whitelisted method on that class through DRb will fail. There is no change to DRb's normal behavior if drb_safe_methods has not been called in a class's definition.
0be2422
Mohamed Hafez whoops, I was checking @front each time for the drb_safe_methods_list…
…, in order to deal correctly for DRbUndumped objects i needed to pass it the actual obj from check_insecure_method and check that instead
704c7a6
Urabe, Shyouhei
Owner

Hi. I forwarded this issue to our ITS:

http://redmine.ruby-lang.org/issues/5434

Please follow the discussion there. I can do the pull once you get consensus.

Mohamed Hafez I was accidentally classifying private methods, protected methods,and…
… unimplemented methods as insecure methods. this commit fixes that
96665e3
Zachary Scott
Collaborator

Closing this as there is already an open ticket in redmine

Zachary Scott zzak closed this November 18, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 3 unique commits by 1 author.

Sep 26, 2011
Mohamed Hafez Allows the optional declaration of a whitelist of methods to expose t…
…hrough DRb for any class DRb will be sharing an instance of. (The current behavior of exposing all public methods of a class can leave a pretty scary security hole in some applications)


If drb_safe_methods is used in a class's definition, then any attempt to call a non-whitelisted method on that class through DRb will fail. There is no change to DRb's normal behavior if drb_safe_methods has not been called in a class's definition.
0be2422
Sep 28, 2011
Mohamed Hafez whoops, I was checking @front each time for the drb_safe_methods_list…
…, in order to deal correctly for DRbUndumped objects i needed to pass it the actual obj from check_insecure_method and check that instead
704c7a6
Oct 19, 2011
Mohamed Hafez I was accidentally classifying private methods, protected methods,and…
… unimplemented methods as insecure methods. this commit fixes that
96665e3
This page is out of date. Refresh to see the latest.

Showing 1 changed file with 34 additions and 3 deletions. Show diff stats Hide diff stats

  1. 37  lib/drb/drb.rb
37  lib/drb/drb.rb
@@ -1437,10 +1437,16 @@ def run
1437 1437
     ]
1438 1438
 
1439 1439
     # Has a method been included in the list of insecure methods?
1440  
-    def insecure_method?(msg_id)
1441  
-      INSECURE_METHOD.include?(msg_id)
  1440
+    # Or, if a list of drb-safe methods has been defined for the
  1441
+    # front object, is this method not included in that list?
  1442
+    def insecure_method?(obj, msg_id)
  1443
+      INSECURE_METHOD.include?(msg_id) ||
  1444
+        (obj.public_methods.include?(:drb_safe_methods_list)  &&
  1445
+         obj.public_methods.include?(msg_id) &&
  1446
+         !obj.drb_safe_methods_list.include?(msg_id))
1442 1447
     end
1443 1448
 
  1449
+
1444 1450
     # Coerce an object to a string, providing our own representation if
1445 1451
     # to_s is not defined for the object.
1446 1452
     def any_to_s(obj)
@@ -1460,7 +1466,7 @@ def any_to_s(obj)
1460 1466
     def check_insecure_method(obj, msg_id)
1461 1467
       return true if Proc === obj && msg_id == :__drb_yield
1462 1468
       raise(ArgumentError, "#{any_to_s(msg_id)} is not a symbol") unless Symbol == msg_id.class
1463  
-      raise(SecurityError, "insecure method `#{msg_id}'") if insecure_method?(msg_id)
  1469
+      raise(SecurityError, "insecure method `#{msg_id}'") if insecure_method?(obj, msg_id)
1464 1470
 
1465 1471
       if obj.private_methods.include?(msg_id)
1466 1472
         desc = any_to_s(obj)
@@ -1768,6 +1774,31 @@ def fetch_server(uri)
1768 1774
   module_function :fetch_server
1769 1775
 end
1770 1776
 
  1777
+
  1778
+# Declare a list of methods to expose to DRb
  1779
+#
  1780
+# Allows the optional declaration of a whitelist of methods to expose
  1781
+# through DRb for any class DRb will be sharing an instance of. If
  1782
+# drb_safe_methods is used, then any attempt to call a non-whitelisted
  1783
+# method on that class through DRb will fail.
  1784
+#
  1785
+# EXAMPLE USAGE:
  1786
+# def MyClass
  1787
+#   drb_safe_methods :method1, :method2
  1788
+# end
  1789
+#
  1790
+# NOTE: if you are using irb as the client and :to_s isn't in the list,
  1791
+# you will get a DRb::DRbConnError when you create the DRbObject, but only
  1792
+# because irb calls to_s to display the result; the DRbObject is still
  1793
+# usable.
  1794
+class Class
  1795
+  def drb_safe_methods(*symbols)
  1796
+    define_method(:drb_safe_methods_list) do
  1797
+      symbols
  1798
+    end
  1799
+  end
  1800
+end
  1801
+
1771 1802
 # :stopdoc:
1772 1803
 DRbObject = DRb::DRbObject
1773 1804
 DRbUndumped = DRb::DRbUndumped
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.