The taint mechanism will be deprecated in Ruby 2.7 #108

kamipo · 2019-11-21T20:20:01Z

The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7
and will remove that in Ruby 3.

https://bugs.ruby-lang.org/issues/16131
ruby/ruby#2476

In Ruby 2.7, Object#{taint,untaint,trust,untrust} and related
functions in the C-API no longer have an effect (all objects are always
considered untainted), and are now warned deprecation message.

https://buildkite.com/rails/rails/builds/65069#dddcc2a1-a23c-4bc2-9eaf-351295244d1f/991-993

The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 In Ruby 2.7, `Object#{taint,untaint,trust,untrust}` and related functions in the C-API no longer have an effect (all objects are always considered untainted), and are now warned deprecation message. https://buildkite.com/rails/rails/builds/65069#dddcc2a1-a23c-4bc2-9eaf-351295244d1f/991-993

philr · 2019-11-21T21:07:52Z

TZInfo currently supports running in safe mode with Ruby < 2.7. With this pull request applied, this scenario no longer works:

$ ruby -v
ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux]
$ bundle exec ruby -Itest/tzinfo-data2 \
   -e 'require "tzinfo"; require "tzinfo/data"; $SAFE=1; puts TZInfo::Timezone.get("Europe/London")'
Traceback (most recent call last):
        11: from -e:1:in `<main>'
        10: from /home/philr/tzinfo/tzinfo/lib/tzinfo/timezone.rb:128:in `get'
         9: from /home/philr/tzinfo/tzinfo/lib/tzinfo/timezone.rb:235:in `data_source'
         8: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:54:in `get'
         7: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:54:in `synchronize'
         6: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:55:in `block in get'
         5: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:154:in `create_default_data_source'
         4: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_source.rb:154:in `new'
         3: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:57:in `initialize'
         2: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:122:in `require_index'
         1: from /home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require_data'
/home/philr/tzinfo/tzinfo/lib/tzinfo/data_sources/ruby_data_source.rb:129:in `require': Insecure operation - require (SecurityError)

I'd prefer to maintain support for safe mode for the time being, but avoid the warnings when running on Ruby 2.7. I'd probably look to conditionally define a helper 'untaint' method and use that in place of calls to Object#untaint:

if RUBY_VERSION >= '2.7'
  def untaint(obj)
    obj
  end
else
  def untaint(obj)
    obj.untaint
  end
end

Rather than testing the RUBY_VERSION, it'd probably better to find a way to check if Object#untaint is either non-existent or a no-op.

The Ruby core team decided to deprecate the taint mechanism in Ruby 2.7 and will remove that in Ruby 3. https://bugs.ruby-lang.org/issues/16131 ruby/ruby#2476 This is an alternative of tzinfo#108.

kamipo · 2019-11-24T05:47:07Z

Closing this in favor of #109.

kamipo mentioned this pull request Nov 24, 2019

No-op Object#untaint to suppress deprecation warning in Ruby 2.7 #109

Merged

kamipo closed this Nov 24, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The taint mechanism will be deprecated in Ruby 2.7 #108

The taint mechanism will be deprecated in Ruby 2.7 #108

kamipo commented Nov 21, 2019

philr commented Nov 21, 2019 •

edited

kamipo commented Nov 24, 2019

The taint mechanism will be deprecated in Ruby 2.7 #108

The taint mechanism will be deprecated in Ruby 2.7 #108

Conversation

kamipo commented Nov 21, 2019

philr commented Nov 21, 2019 • edited

kamipo commented Nov 24, 2019

philr commented Nov 21, 2019 •

edited