Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix SecurityError: Insecure operation - gem_original_require` #100

wants to merge 1 commit into
base: master


Copy link

commented Sep 30, 2019

I noticed that test on Ruby 2.7 failed, because raised SecurityError.

  1) Error:
SecurityError: Insecure operation - require
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require_data'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:115:in `require_definition'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:93:in `load_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_source.rb:195:in `get_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/timezone.rb:128:in `get'
    /home/travis/build/tzinfo/tzinfo/test/tc_timezone.rb:291:in `block in test_get_tainted_and_frozen_not_previously_loaded'
    /home/travis/build/tzinfo/tzinfo/test/test_utils.rb:311:in `block in safe_test'

This comment has been minimized.

Copy link

commented Oct 3, 2019

I'd prefer to handle the untainting before the require_data method gets called. The file name gets validated and replaced with a known to be safe string in the load_timezone_info method. I assume the source of the SecurityError is therefore the @base_path.

Could you check this assumption is true and move the untaint call to whichever branch of the initializer is causing the problem?


This comment has been minimized.

Copy link

commented Oct 7, 2019

@philr I'll try it.

`SecurityError: Insecure operation - gem_original_require`
This error caused by `@base_path`.
@takkanm takkanm force-pushed the takkanm:fix-insecure-operation branch from 5722753 to eaa31c0 Oct 8, 2019

This comment has been minimized.

Copy link

commented Oct 8, 2019

I fixed it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.