Skip to content

fix SecurityError: Insecure operation - gem_original_require`#100

Merged
philr merged 1 commit into
tzinfo:masterfrom
takkanm:fix-insecure-operation
Dec 9, 2019
Merged

fix SecurityError: Insecure operation - gem_original_require`#100
philr merged 1 commit into
tzinfo:masterfrom
takkanm:fix-insecure-operation

Conversation

@takkanm

@takkanm takkanm commented Sep 30, 2019

Copy link
Copy Markdown
Contributor

I noticed that test on Ruby 2.7 failed, because raised SecurityError.

https://travis-ci.org/tzinfo/tzinfo/jobs/526594506

  1) Error:
TCTimezone#test_get_tainted_and_frozen_not_previously_loaded:
SecurityError: Insecure operation - require
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require_data'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:115:in `require_definition'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:93:in `load_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/data_source.rb:195:in `get_timezone_info'
    /home/travis/build/tzinfo/tzinfo/lib/tzinfo/timezone.rb:128:in `get'
    /home/travis/build/tzinfo/tzinfo/test/tc_timezone.rb:291:in `block in test_get_tainted_and_frozen_not_previously_loaded'
    /home/travis/build/tzinfo/tzinfo/test/test_utils.rb:311:in `block in safe_test'

@philr

philr commented Oct 3, 2019

Copy link
Copy Markdown
Member

I'd prefer to handle the untainting before the require_data method gets called. The file name gets validated and replaced with a known to be safe string in the load_timezone_info method. I assume the source of the SecurityError is therefore the @base_path.

Could you check this assumption is true and move the untaint call to whichever branch of the initializer is causing the problem?

@takkanm

takkanm commented Oct 7, 2019

Copy link
Copy Markdown
Contributor Author

@philr I'll try it.

`SecurityError: Insecure operation - gem_original_require`
This error caused by `@base_path`.
@takkanm takkanm force-pushed the fix-insecure-operation branch from 5722753 to eaa31c0 Compare October 8, 2019 21:11
@takkanm

takkanm commented Oct 8, 2019

Copy link
Copy Markdown
Contributor Author

I fixed it.

philr added a commit that referenced this pull request Dec 9, 2019
@philr philr merged commit eaa31c0 into tzinfo:master Dec 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants