Ruby Feature #16131: Remove $SAFE, taint and trust (2019)

5 points by gioele

insanitybit

Therefore I think Taint checking mechanism is unusable on the current Ruby ecosystem.

Wouldn’t you just open a support ticket with Rack to get them to support it? I suspect the issue there would be that it’s unclear what “tained” means. Rack has presumably parsed the value in some way, but that way may not be “is valid for a sql query” etc, which would happen later. “tainting” is just very broad since a string may need to be validated in different contexts.

The way to solve this more generally is just to have richer types, I think.

peter

Rack was just one example of common, well-known Ruby software that doesn’t use taint. Nothing uses it. Would you open a support ticket on every major Ruby gem that deals with input, and try to get all of them to care about taints, when none of them ever have, and practically no one has cared?
- insanitybit
  
  Would you open a support ticket on every major Ruby gem that deals with input, and try to get all of them to care about taints, when none of them ever have, and practically no one has cared?
  
  Yeah, basically that’s what I’d do if I used those projects and I wanted the feature. I just doubt I’d want the feature because it’s confusing and not clear.
MatheusRich

This was 5 years ago. Am I missing something?
andyc

I have always wondered about the taint tracking in Perl …

I didn’t know it was in Ruby, but it doesn’t entirely surprise me that it’s unsound / not well supported

I would be interested in if anyone has experiences with these mechanisms. I think the problem is the false negatives - the problems it did NOT catch. And you probably have no way of knowing about the false negatives?

It doesn’t seem like these mechanisms have very much mindshare or support – I think we would hear about them a lot more otherwise
- insanitybit
  
  The problem with taint analysis is determining what is tainted vs not conceptually - like… who decides? In the link a lot of people talk about using taint to track random properties because it’s sort of a free way to just tag data. But something else could tag/ untag the same thing for whatever reason.
  
  If I untaint something because it matches a regex for “valid web param” is it safe to use in sql? Safe to use in html? Usually you solve this with refinement types that are specific to the use case, or you solve it with APIs that don’t care if something is tainted or not.
  
  It’s a cool concept but it lumps too much into a single value. It seems like what people really want is for a type to carry around arbitrary proofs of its values ie: “a list, but it isn’t empty” or “a list, but it’s sorted” or “a list that is not empty and also is sorted” etc.