Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix SecurityError: Insecure operation - gem_original_require` #100

Open
wants to merge 1 commit into
base: master
from

Conversation

@takkanm
Copy link

commented Sep 30, 2019

I noticed that test on Ruby 2.7 failed, because raised SecurityError.

https://travis-ci.org/tzinfo/tzinfo/jobs/526594506

  1) Error:
TCTimezone#test_get_tainted_and_frozen_not_previously_loaded:
SecurityError: Insecure operation - require
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require_data'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:115:in `require_definition'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:93:in `load_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_source.rb:195:in `get_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/timezone.rb:128:in `get'
    /home/travis/build/tzinfo/tzinfo/test/tc_timezone.rb:291:in `block in test_get_tainted_and_frozen_not_previously_loaded'
    /home/travis/build/tzinfo/tzinfo/test/test_utils.rb:311:in `block in safe_test'
@philr

This comment has been minimized.

Copy link
Member

commented Oct 3, 2019

I'd prefer to handle the untainting before the require_data method gets called. The file name gets validated and replaced with a known to be safe string in the load_timezone_info method. I assume the source of the SecurityError is therefore the @base_path.

Could you check this assumption is true and move the untaint call to whichever branch of the initializer is causing the problem?

@takkanm

This comment has been minimized.

Copy link
Author

commented Oct 7, 2019

@philr I'll try it.

`SecurityError: Insecure operation - gem_original_require`
This error caused by `@base_path`.
@takkanm takkanm force-pushed the takkanm:fix-insecure-operation branch from 5722753 to eaa31c0 Oct 8, 2019
@takkanm

This comment has been minimized.

Copy link
Author

commented Oct 8, 2019

I fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.