safe_intern 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c83f69632b7a1ac53c90593819f74884dd14d723
+  data.tar.gz: 239e8d074b08c60a7959c48f7e87eb7e2628e333
+SHA512:
+  metadata.gz: 5901bf0d86098b00d30bcb688d72dd4c14757e7b2105a8c56ab06b8776536fd9b7a3b4b12fe72eac9b1b19052fd55736a2f8fb553f1e6cf20bd55597e885f9f6
+  data.tar.gz: 10f41a368bb3f9078c9dde6e8abc5def0439a24b93062f39d22472504c62b77913cc4c1d5caa53866630d3c11466e831ed7065e7ef6c3bd8537f702131744d20

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+group :development,:test do
+  gem 'rake-compiler'
+  gem 'rake'
+  gem 'rspec'
+  gem 'rubocop'
+end

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Jan Rusnacko
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,116 @@
+# SafeIntern
+
+Safe implemetation of String#intern and String#to_sym methods.
+
+## Description
+
+One of the common security issues of Ruby applications is calling `intern` or 
+`to_sym` on strings from untrusted source. Since symbols are not garbage 
+collected in Ruby, yet take up some memory, this allows attacker to mount 
+Denial of Service attack. Just by feeding the application with large number of
+strings and creating large number of symbols, memory consumption of the Ruby
+process would grow till machine runs out of memory.
+
+One approach to solving this problem is to prevent calls to .intern on 
+untrusted strings by whitelisting expected inputs:
+
+    whitelist(untrusted_string).to_sym
+
+This gets tedious very quickly - developer has to know all of the permitted 
+values beforehand and has to maintain the list. 
+
+Another approach is to allow conversion from string to symbol, but prevent 
+allocation of new (previously unseen) symbol. This works most of the time since
+all useful symbols are already allocated in application when its source is
+parsed.
+
+## How it works
+
+Symbols are stored in a structure `global_symbols` which maintains mapping
+between frozen strings that are the "name" of symbol and numeric IDs, which
+are used by Ruby interpreter. All currently allocated Symbols can be listed
+by calling `Symbol.all_symbols`.
+
+Starting from Ruby 2.0, API provides `rb_check_id` function, which allows to
+query `global_symbols` for particular symbol without allocating it. This is 
+much more efficient than doing something like
+
+    Symbol.all_symbols.map(&:to_s).include?(untrusted_string)
+
+With the ability to query for known symbols, `intern` and `to_sym` methods can 
+be patched. There are two possible behaviours when called on unknown string:
+
+* return nil
+* raise exception
+
+This gem provides implementation of both in `SafeIntern::ExceptionPatch` and
+`SafeIntern::NilPatch` modules. 
+
+## Usage
+
+1. Install using gem command:
+      
+        $ gem install safe_intern
+
+  or include in Gemfile:
+
+        gem 'safe_intern'
+
+2. Patch the String:
+
+        require 'safe_intern/string'
+
+  This will patch `String#intern` and `String#to_sym` methods to throw 
+  exception when new Symbol would be allocated. To return nil instead, patch 
+  the String with
+
+      require 'safe_intern'
+
+      class ::String
+        prepend SafeIntern::NilPatch
+      end
+
+  Prepending the `SafeIntern::NilPatch` module is important, since including it
+  would result in the wrong order of method lookup.
+
+  Only particular strings can be patched too:
+
+      require 'safe_intern'
+    
+      unstrusted_string.extend(SafeIntern::ExceptionPatch)
+
+  Calling `.to_sym` and `.intern` on unstrusted string that would result in
+  new symbol allocation returns nil or throws exception:
+
+      > untrusted_string.extend(SafeIntern::NilPatch)
+      => "does_not_exist"
+      > untrusted_string.intern
+      => nil 
+      > untrusted_string.extend(SafeIntern::ExceptionPatch)
+      => "does_not_exist" 
+      > untrusted_string.intern
+      UnsafeInternException: UnsafeInternException
+        from /home/jrusnack/.gem/ruby/gems/safe_intern-1.0.0/lib/safe_intern/exception_patch.rb:7:in `intern'
+        from (irb):4
+        from /usr/bin/irb:12:in `<main>'
+
+  When String class is patched, creating new symbol from trusted string is
+  possible with
+
+      trusted_string.intern(:allow_unsafe)
+
+## Requirements
+* [Ruby] >= 2.0.0
+
+## See also
+
+Similar functionality is provided by [Symbol Lookup] gem. Read about addition 
+of new method to query for already allocated Symbols in [Issue 7854].
+
+## License
+[SafeIntern] is released under the MIT License.
+
+[Ruby]: http://www.ruby-lang.org
+[Symbol Lookup]: https://github.com/phluid61/symbol_lookup-gem
+[Issue 7854]: https://bugs.ruby-lang.org/issues/7854
+[SafeIntern] https://github.com/jrusnack/safe_intern

data/Rakefile

@@ -0,0 +1,31 @@
+require 'rspec/core/rake_task'
+require 'rake/extensiontask'
+require 'rubocop/rake_task'
+require 'benchmark'
+$:.unshift File.expand_path('../lib', __FILE__)
+require 'safe_intern'
+
+RSpec::Core::RakeTask.new
+
+Rake::ExtensionTask.new "symbol_defined" do |ext|
+end
+
+Rubocop::RakeTask.new
+
+desc 'Benchmark implemented methods'
+task :benchmark do
+  i = 2000000
+
+  Benchmark.bm(22) do |bm|
+    string = 'String'
+    bm.report("unpatched:") { i.times do string.intern end }
+
+    str = string.clone.extend(SafeIntern::NilPatch)
+    bm.report("Nil patch:") { i.times do str.intern end }
+    bm.report("Nil patch(allow):") { i.times do str.intern(:allow_unsafe) end }
+
+    str = string.clone.extend(SafeIntern::ExceptionPatch)
+    bm.report("Exception patch:") { i.times do str.intern end }
+    bm.report("Exception patch(allow):") { i.times do str.intern(:allow_unsafe) end }
+  end
+end

data/ext/symbol_defined/extconf.rb

@@ -0,0 +1,8 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+require 'mkmf'
+create_makefile('symbol_defined')

data/ext/symbol_defined/symbol_defined.c

@@ -0,0 +1,26 @@
+/* Copyright (C) 2014 Jan Rusnacko
+ * 
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions of the
+ * MIT license.
+ */
+
+#include "ruby.h"
+
+VALUE
+symbol_defined(VALUE self, VALUE str)
+{
+    if(rb_check_id(&str)) {
+        return Qtrue;
+    } else {
+        return Qfalse;
+    }
+}
+
+VALUE cSafeIntern;
+
+void Init_symbol_defined()
+{
+    cSafeIntern = rb_define_module("SafeIntern");
+    rb_define_module_function(cSafeIntern, "symbol_defined?", symbol_defined, 1);
+}

data/lib/safe_intern/exception_patch.rb

@@ -0,0 +1,25 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+module SafeIntern
+  module ExceptionPatch
+    def intern(allow_unsafe = nil)
+      if allow_unsafe == :allow_unsafe || SafeIntern.symbol_defined?(self)
+        super()
+      else
+        fail UnsafeInternException
+      end
+    end
+
+    def to_sym(allow_unsafe = nil)
+      if allow_unsafe == :allow_unsafe || SafeIntern.symbol_defined?(self)
+        super()
+      else
+        fail UnsafeInternException
+      end
+    end
+  end
+end

data/lib/safe_intern/nil_patch.rb

@@ -0,0 +1,25 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+module SafeIntern
+  module NilPatch
+    def intern(allow_unsafe = nil)
+      if allow_unsafe == :allow_unsafe || SafeIntern.symbol_defined?(self)
+        super()
+      else
+        nil
+      end
+    end
+
+    def to_sym(allow_unsafe = nil)
+      if allow_unsafe == :allow_unsafe || SafeIntern.symbol_defined?(self)
+        super()
+      else
+        nil
+      end
+    end
+  end
+end

data/lib/safe_intern/string.rb

@@ -0,0 +1,16 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+require 'safe_intern'
+
+# Patch String class to throw exception when new Symbol is created by intern
+# or to_sym methods.
+#
+# Usage: require 'safe_intern/string'
+#
+class ::String
+  prepend SafeIntern::ExceptionPatch
+end

data/lib/safe_intern/unsafe_intern_exception.rb

@@ -0,0 +1,7 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+class UnsafeInternException < RuntimeError; end

data/lib/safe_intern.rb

@@ -0,0 +1,10 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+require 'symbol_defined'
+require 'safe_intern/exception_patch'
+require 'safe_intern/nil_patch'
+require 'safe_intern/unsafe_intern_exception'

data/safe_intern.gemspec

@@ -0,0 +1,14 @@
+Gem::Specification.new do |gem|
+  gem.name        = 'safe_intern'
+  gem.version     = '1.0.0'
+  gem.date        = '2014-03-20'
+  gem.summary     = 'Safe String#intern'
+  gem.description = 'Safe implementation of String#intern'
+  gem.authors     = ["Jan Rusnacko"]
+  gem.email       = 'rusnackoj@gmail.com'
+  gem.files       = `git ls-files`.split($/)
+  gem.extensions  = 'ext/symbol_defined/extconf.rb'
+  gem.required_ruby_version = ['>= 2.0']
+  gem.homepage    = 'https://github.com/jrusnack/safe_intern'
+  gem.license     = 'MIT'
+end

data/spec/safe_intern/exception_patch_spec.rb

@@ -0,0 +1,17 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+require 'spec_helper'
+
+describe SafeIntern::ExceptionPatch do
+  context 'intern' do
+    it_behaves_like 'safe-intern', SafeIntern::ExceptionPatch, :intern
+  end
+
+  context 'to_sym' do
+    it_behaves_like 'safe-intern', SafeIntern::ExceptionPatch, :to_sym
+  end
+end

data/spec/safe_intern/nil_patch_spec.rb

@@ -0,0 +1,17 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+require 'spec_helper'
+
+describe SafeIntern::NilPatch do
+  context '#intern' do
+    it_behaves_like 'safe-intern', SafeIntern::NilPatch, :intern
+  end
+
+  context '#to_sym' do
+    it_behaves_like 'safe-intern', SafeIntern::NilPatch, :to_sym
+  end
+end

data/spec/safe_intern_helper.rb

@@ -0,0 +1,29 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+shared_examples 'safe-intern' do |patch, method|
+  it 'should convert to Symbol if it already exists' do
+    'Object'.extend(patch).send(method).should be_eql(:Object)
+  end
+
+  it 'should not create new Symbol if it does not already exist' do
+    case patch.name
+    when 'SafeIntern::NilPatch'
+      'DoesNotExist'.extend(patch).send(method).should be_nil
+    when 'SafeIntern::ExceptionPatch'
+      expect { 'DoesNotExist'.extend(patch).send(method) }.to raise_error
+    else
+      fail
+    end
+    Symbol.all_symbols.map(&:to_s).should_not include('DoesNotExist')
+  end
+
+  it 'should accept :allow_unsafe as optional parameter' do
+    rnd = rand(100_000).to_s
+    Symbol.all_symbols.map(&:to_s).should_not include(rnd)
+    rnd.extend(patch).send(method, :allow_unsafe).should be_eql(rnd.to_sym)
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,13 @@
+# Copyright (C) 2014 Jan Rusnacko
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of the
+# MIT license.
+
+require 'safe_intern'
+require 'safe_intern_helper'
+
+RSpec.configure do |config|
+  config.color_enabled = true
+  config.formatter = :documentation
+end

metadata

@@ -0,0 +1,60 @@
+--- !ruby/object:Gem::Specification
+name: safe_intern
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Jan Rusnacko
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-03-20 00:00:00.000000000 Z
+dependencies: []
+description: Safe implementation of String#intern
+email: rusnackoj@gmail.com
+executables: []
+extensions:
+- ext/symbol_defined/extconf.rb
+extra_rdoc_files: []
+files:
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- ext/symbol_defined/extconf.rb
+- ext/symbol_defined/symbol_defined.c
+- lib/safe_intern.rb
+- lib/safe_intern/exception_patch.rb
+- lib/safe_intern/nil_patch.rb
+- lib/safe_intern/string.rb
+- lib/safe_intern/unsafe_intern_exception.rb
+- safe_intern.gemspec
+- spec/safe_intern/exception_patch_spec.rb
+- spec/safe_intern/nil_patch_spec.rb
+- spec/safe_intern_helper.rb
+- spec/spec_helper.rb
+homepage: https://github.com/jrusnack/safe_intern
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '2.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Safe String#intern
+test_files: []