Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix SecurityError: Insecure operation - gem_original_require` #100

Merged
merged 1 commit into from Dec 9, 2019

Conversation

@takkanm
Copy link
Contributor

@takkanm takkanm commented Sep 30, 2019

I noticed that test on Ruby 2.7 failed, because raised SecurityError.

https://travis-ci.org/tzinfo/tzinfo/jobs/526594506

  1) Error:
TCTimezone#test_get_tainted_and_frozen_not_previously_loaded:
SecurityError: Insecure operation - require
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require_data'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:115:in `require_definition'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:93:in `load_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_source.rb:195:in `get_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/timezone.rb:128:in `get'
    /home/travis/build/tzinfo/tzinfo/test/tc_timezone.rb:291:in `block in test_get_tainted_and_frozen_not_previously_loaded'
    /home/travis/build/tzinfo/tzinfo/test/test_utils.rb:311:in `block in safe_test'
@philr
Copy link
Member

@philr philr commented Oct 3, 2019

I'd prefer to handle the untainting before the require_data method gets called. The file name gets validated and replaced with a known to be safe string in the load_timezone_info method. I assume the source of the SecurityError is therefore the @base_path.

Could you check this assumption is true and move the untaint call to whichever branch of the initializer is causing the problem?

@takkanm
Copy link
Contributor Author

@takkanm takkanm commented Oct 7, 2019

@philr I'll try it.

`SecurityError: Insecure operation - gem_original_require`
This error caused by `@base_path`.
@takkanm takkanm force-pushed the fix-insecure-operation branch from 5722753 to eaa31c0 Oct 8, 2019
@takkanm
Copy link
Contributor Author

@takkanm takkanm commented Oct 8, 2019

I fixed it.

philr added a commit that referenced this issue Dec 9, 2019
@philr philr merged commit eaa31c0 into tzinfo:master Dec 9, 2019
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants