Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix SecurityError: Insecure operation - gem_original_require` #100

merged 1 commit into from
Dec 9, 2019


Copy link

@takkanm takkanm commented Sep 30, 2019

I noticed that test on Ruby 2.7 failed, because raised SecurityError.

  1) Error:
SecurityError: Insecure operation - require
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require_data'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:115:in `require_definition'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:93:in `load_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_source.rb:195:in `get_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/timezone.rb:128:in `get'
    /home/travis/build/tzinfo/tzinfo/test/tc_timezone.rb:291:in `block in test_get_tainted_and_frozen_not_previously_loaded'
    /home/travis/build/tzinfo/tzinfo/test/test_utils.rb:311:in `block in safe_test'

Copy link

philr commented Oct 3, 2019

I'd prefer to handle the untainting before the require_data method gets called. The file name gets validated and replaced with a known to be safe string in the load_timezone_info method. I assume the source of the SecurityError is therefore the @base_path.

Could you check this assumption is true and move the untaint call to whichever branch of the initializer is causing the problem?

Copy link
Contributor Author

takkanm commented Oct 7, 2019

@philr I'll try it.

`SecurityError: Insecure operation - gem_original_require`
This error caused by `@base_path`.
Copy link
Contributor Author

takkanm commented Oct 8, 2019

I fixed it.

philr added a commit that referenced this pull request Dec 9, 2019
@philr philr merged commit eaa31c0 into tzinfo:master Dec 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

2 participants