[ruby-core:113407] [Ruby master Feature#19630] [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues
Issue #19630 has been reported by postmodern (Hal Brodigan). ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by postmodern (Hal Brodigan). A more complete list of the CVEs related to `Kernel.open`: * CVE-2017-17405 (ruby, net-ftp) * CVE-2017-17790 (ruby, resolv) * CVE-2019-10780 (bibtex-ruby) * CVE-2021-21289 (mechanize) * CVE-2019-5477 (nokogiri) * CVE-2021-31799 (rdoc) * CVE-2019-5477 (rexical) ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-102980 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by mdalessio (Mike Dalessio). I enthusiastically support this suggestion. This is something that even experienced Ruby developers frequently forget about. I think it would be wise to evolve this API towards being "secure by default", even if that means forcing users to be explicit about the class or module. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-102987 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by hsbt (Hiroshi SHIBATA). This proposal make sense to me. But I'm not sure how impact existing code for this incompatibility. Do you have any deprecated process for this? ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103254 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by mdalessio (Mike Dalessio). @hsbt Because this functionality has existed in Ruby for such a long time, maybe we should target the next major release for removal of this functionality, and for now just print a deprecation warning. @postmodern Just to clarify, you're only suggesting deprecating this in `Kernel#open`. It's also possible for commands to be injected into: - IO.binread - IO.foreach - IO.readlines - IO.read - IO.write but my understanding is that you're proposing to leave these methods alone, is that correct? If noone has objections, I'll create a pull request so we have something concrete to discuss. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103436 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by byroot (Jean Boussier).
for now just print a deprecation warning.
My worry is that since deprecation warnings are disabled by default, many people might not notice. Recent examples show that things like `File.exists?` was deprecated for a decade, and some people were still surprised by its removal. I know it's a distinct issue, but it impacts this one. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103437 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by mdalessio (Mike Dalessio). I've created https://github.com/ruby/ruby/pull/7915 for review. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103439 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by postmodern (Hal Brodigan). @mdalessio (Mike Dalessio) wrote in #note-5:
@hsbt Because this functionality has existed in Ruby for such a long time, maybe we should target the next major release for removal of this functionality, and for now just print a deprecation warning.
@postmodern Just to clarify, you're only suggesting deprecating this in `Kernel#open`. It's also possible for commands to be injected into:
- IO.binread - IO.foreach - IO.readlines - IO.read - IO.write
but my understanding is that you're proposing to leave these methods alone, is that correct?
If noone has objections, I'll create a pull request so we have something concrete to discuss.
I was unaware that these methods can accept `|command` style inputs. Based on the stdlib documentation, the first argument is called `name` and the examples show reading from `testfile`, which implies to me they should only read from files. We could at first deprecate `Kernel.open` and see how much impact it has on users complaining about deprecation warnings, or we could start with the other `IO` methods? ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103450 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by Eregon (Benoit Daloze). IIRC `IO` methods all have an equivalent under `File`, and those do not accept pipes. So e.g. RuboCop warns about them and suggest to use `File.some_method` instead: https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/IoMethods And there is already a cop too for Kernel#open it seems: https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/Open But I agree for security reasons I think it makes sense to deprecate them in Ruby too, not everyone uses RuboCop or these cops in particular. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103472 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by nobu (Nobuyoshi Nakada). postmodern (Hal Brodigan) wrote in #note-8:
I was unaware that these methods can accept `|command` style inputs. Based on the stdlib documentation, the first argument is called `name` and the examples show reading from `testfile`, which implies to me they should only read from files. We could at first deprecate `Kernel.open` and see how much impact it has on users complaining about deprecation warnings, or we could start with the other `IO` methods?
I'm against deprecating pipe in `IO` methods. It is intentionally kept quiet, unlike `File`. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103503 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by mdalessio (Mike Dalessio). If we all agree that deprecating this behavior in `Kernel#open` is a good idea, is there any objection to something like https://github.com/ruby/ruby/pull/7915 ? @byroot I agree with your concerns about people ignoring deprecation warnings, but I don't think that's a good reason to stop deprecating behavior that we all agree should be deprecated. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103521 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by byroot (Jean Boussier).
is there any objection
Not from me, we should add this ticket to the next dev meeting. However I feel like other IO methods (`IO.binread`, etc) should do the same otherwise it's a bit inconsistent. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103534 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by matz (Yukihiro Matsumoto). OK. Probably we should remove pipe notation from all open methods, with deprecation process. Matz. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103839 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by hsbt (Hiroshi SHIBATA). @mdalessio Could you also deprecate the following methods in your pull request? ``` IO.binread IO.foreach IO.readlines IO.read IO.write ``` ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103860 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by mdalessio (Mike Dalessio). @hsbt Yes, I'll update the pull request. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103862 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by mdalessio (Mike Dalessio). @hsbt Do you think I should also deprecate pipe commends in `URI.open` as suggested in https://bugs.ruby-lang.org/issues/19723 ? It seems like @matz may be encouraging this by saying "all open methods" above. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103863 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by hsbt (Hiroshi SHIBATA). @mdalessio Deprecated `URI.open` is also accepted. We should deprecate it in same time. ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103865 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by ko1 (Koichi Sasada). memo:
rb_warn_deprecated_to_remove("4.0", "Calling Kernel#open with a leading '|'", "IO.popen");
* warning until 4.0 * delete at 4.0 ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel.open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103866 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
Issue #19630 has been updated by mdalessio (Mike Dalessio). The pull request is ready for review: https://github.com/ruby/ruby/pull/7915 ---------------------------------------- Feature #19630: [RFC] Deprecate `Kernel#open("|command-here")` due to frequent security issues https://bugs.ruby-lang.org/issues/19630#change-103966 * Author: postmodern (Hal Brodigan) * Status: Open * Priority: Normal ---------------------------------------- `Kernel.open()` is the source of numerous [1] security [2] issues [3], due to the fact that it can be used to execute commands if given a String argument of the form `"|command-here"`. However, in most uses of `Kernel.open()` the developer appears to either want to open a local file, or if 'open-uri' was explicitly required open a remote URI. We should deprecate calling `Kernel.open()` with a `"|command-here"` style arguments, with a warning message instructing the developer to use `IO.popen()` instead. Eventually, support for `Kernel.open("|command-here")` could be removed completely, in favor of having the developer explicitly call `IO.popen()` or `URI.open()`. [1]: https://45w1nkv.medium.com/ruby-code-vulnerability-analysis-confirmsnssubscr... [2]: https://bishopfox.com/blog/ruby-vulnerabilities-exploits [3]: https://blog.heroku.com/identifying-ruby-ftp-cve -- https://bugs.ruby-lang.org/
participants (11)
-
byroot (Jean Boussier) -
Eregon (Benoit Daloze)
-
hsbt (Hiroshi SHIBATA)
-
hsbt (Hiroshi SHIBATA) -
ko1 (Koichi Sasada)
-
matz (Yukihiro Matsumoto)
-
mdalessio (Mike Dalessio)
-
mdalessio (Mike Dalessio)
-
nobu (Nobuyoshi Nakada)
-
postmodern (Hal Brodigan)
-
postmodern (Hal Brodigan)