Table of contents
1.
Introduction
2.
Objects in Ruby
2.1.
Creating Objects in Ruby
2.2.
Working of Objects in Ruby
2.3.
Copying Objects
2.4.
Marshaling Object
2.5.
Freezing Object
3.
Tainting Objects in Ruby
3.1.
Definitions of Safe Levels
3.1.1.
&SAFE >= 1
3.1.2.
$SAFE >= 2
3.1.3.
$SAFE >= 3
3.1.4.
$SAFE >= 4
3.2.
Tainting
3.3.
Trust
3.4.
Why is taint checking reduced?
4.
Frequently Asked Questions
4.1.
Mention some of the features of Ruby.
4.2.
Write some similarities between Python and Ruby.
4.3.
Name all four types of variables in Ruby.
4.4.
What are some of the main domains in Ruby class libraries?
4.5.
At what safety level can we change the tainted object?
5.
Conclusion
Last Updated: Mar 27, 2024
Medium

Tainting Objects in Ruby

Author Naman Kukreja
0 upvote
Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

Nowadays, the Ruby language has come into the limelight by various developers. It is a general-purpose and highly portable language used for developing static websites, applications, automation tools, and even data processing services. 

But Ruby is an object-oriented programming language, so everything in the language is associated with an object. So if an error came to an object, how will Ruby find and solve these errors. There are many methods, one of them being tainting of objects. We will discuss all tainting of objects in Ruby while moving further with the blog, so without wasting any time further, let’s get on with our topic.

Objects in Ruby

As Ruby is an object-oriented language, so one way or another, everything is an object in Ruby. Ruby Supports everything like inheritance, encapsulation, polymorphism, operator overloading, etc. We can use the new keyword to create objects in Ruby. We can create as many objects as we want from a single class.

We can access any class attribute using an object created using the class name. They can contain any data like variables and methods. Each object points to the exact memory location for the variable and accessing method without allocating new memory.

Creating Objects in Ruby

We have to use a new keyword with the name of a class like XYZ to create objects in Ruby.

  • We have created a class name XYZ. As you can see, we have to use the class keyword before the name, as we will use this name to create and define the object.
  • We have commented inside the class for the reader to understand what is happening inside the class.
  • Inside the class, we have used a predefined method, i.e., method initialize method.
  • Now, we are creating an object of the class using new.
  • The class will automatically initialize the method and the initialization of variables at the time of object creation. Here the object contains all the methods and variables of the XYZ class.
class XYZ
#Do the initialization here
def initialize(param1, param2)
# Here, we are initializing the variables.
@param1 = param1
@param2 = param2
end
end
B1 =XYZ.new(param1, param2)#Creation Of Object B1
B2 =XYZ.new(param1, param2)#Creation Of Object B2
B3 =XYZ.new(param1, param2)#Creation Of Object B3
B4 =XYZ.new(param1, param2)#Creation Of Object B4

Working of Objects in Ruby

In Ruby, the classes are the blueprint of Ruby, and every object at the time of creation has all the class properties.

  • We have a class name XYZ that contains a constant and method.
  • The new keyword will inform the class and ruby compiler that there is a request to create the new object.
  • Now, the ruby compiler will associate all the properties and memory of the class to the object with the new keyword.
  • Now, it depends on the user to create as many objects as he can create.
  • Each object will have the same constant and method inside it.

Copying Objects

We can use two methods for copying the objects one is dup method, and the other is the clone method, but both of them will give a shallow copy of the object. If you are copying an object and that object contains a reference for some other objects, then only the reference of the referenced objects will be copied, not the whole referenced objects.

If the object to be cloned has an initialize copy function, dup and clone simply allocate a new, empty instance of the class and call the initialize copy method on it. The object to be copied is supplied as a parameter, and this copy function Object()  can do whatever it wants with the copy. For instance, the initialize copy method could recursively copy an object's internal data. The result isn't just a shallow replica of the original.

Classes can directly produce any copy by overriding the dup and clone method.

The main difference between dup and clone method is that dup only copies the tainted state of the object, whereas the clone copies both the tainted and frozen state of the object. And the other difference between these two is that dup does not copy any singleton function, whereas clone does.

Marshaling Object

The class method Marshal.dump can save the state of the object if it is passed by this method. For an input/output stream, the Marshal.dump writes the object's state to the stream. Otherwise, it will return a binary string.

The Binding and Method objects are too dynamic to be marshaled.

Freezing Object

We can make any object frozen by calling its freezing method. The frozen object becomes immutable, and we can not change any of its internal states and cannot call any of its mutators.

If you copy a frozen object with the help of a clone, then the copied object will also remain frozen. But if you copy the frozen object with the help of dup, then the copy will not be frozen.

Tainting Objects in Ruby

Any Ruby object that is inherited from a third-party source is immediately identified as tainted. If your application derives a new object from a tainted object, the new object will be tainted as well. Any object that has had external data in the past will be corrupted. Regardless of the present safe level, this tainting procedure is carried out. Object#tainted? can be used to check an object's tainted status.

We can understand tainting as the mechanism used by Ruby to prevent or stop any faulty command executing in the host machine.

Taint checking any object or input that external users can modify or generate considered tainted. If a program potentially tries to execute using a tainted object while present in safe mode, this will raise a security error.

Definitions of Safe Levels

We can access the ruby security level by the $SAFE global variable. There are various safe levels, and each explanation has been discussed below.

&SAFE >= 1

  • The environment variables RUBYOPT and RUBYLIB are not processed, and also, the current directory is not added to the path. 
  • For a directory that has its name as a tainted string, we cannot chroot or manipulate it.
  • If a directory is in its word -writable, we cannot start the process from $PATH.
  • We cannot pass a tainted string.
  • We cannot execute a program or system command from a tainted string.

$SAFE >= 2

  • Cannot use chroot, make, change, or remove directories.
  • The world-writable directory cannot be used to load a file.
  • Any tainted file with a name starting from ~ cannot load.
  • Cannot handle signals using the trap.

$SAFE >= 3

  • Cannot untaint objects.
  • All the objects that are created are tainted.

$SAFE >= 4

  • Cannot modify the string, hash, or untainted array.
  • Cannot reopen or choose a nontainted file.
  • We cannot make modules or alias in the non-tainted array.
  • Cannot use autoload.
  • Cannot use the exit! or abort.
  • Cannot remove constraints or instance variables from non-tainted objects.

Tainting

We know about the object by its tainted flag if the tainted flag of an object is set. Then we can have an idea that the object has come from an unreliable source; hence we cannot use it in sensitive operations. You can ignore the taint flag when it is in level 0, but you can if you want to pay attention.

Some of the methods related to tainting are:

  • Tainted? : This will check whether an object is tainted or not.
  • Taint: Ths will make the object tainted. You can use it on any level except safe level 4.
  • Untaint: As the name suggests, this will remove the tainting from an object. From safe levels 0, 1, and 2.
s = "untrusted" # Objects are normally untainted
s.taint # Mark this untrusted object as tainted
s[1,2].tainted? # true: substrings are tainted
s.tainted? # true: it is tainted s.upcase.tainted?
# true: derived objects are tainted. 

Trust

Trust is a lot simpler compared to taint. Trust has a function to do with whether the object has come from a trusted or untrusted source. A trusted source will be anything less than safe level 4, and an untrusted one will be from safe level 4.

User inputs such as environment variables, command-line arguments, strings, etc., all will get tainted automatically.

Why is taint checking reduced?

Taint checking features were used in CGI programs, but most of the input libraries don't support this mechanism in recent times. Also, there were many vulnerabilities in tainting and safe variables method.

Frequently Asked Questions

Mention some of the features of Ruby.

  • It is an object-oriented language.
  • It is flexible
  • Supports dynamic and duck typing
  • Contains garbage collector and keyword arguments.

Write some similarities between Python and Ruby.

  • They are both high-level languages,
  • Support multiple platforms 
  • Server-side scripting languages 
  • User interactive rib prompts.

Name all four types of variables in Ruby.

  • Class Variable
  • Local Variable
  • Global Variable
  • Instance Variable

What are some of the main domains in Ruby class libraries?

Ruby class libraries contain a wide variety of domains such as data types, thread programming, text processing, GUI programming, etc.

At what safety level can we change the tainted object?

Till safe level 3, we can change the status flag and make our object untainted, but on safe level 4, we cannot make it untainted.

Conclusion

In this article, we have extensively discussed the tainting object in Ruby, with various operations that can be performed on objects, followed by a detailed explanation of all the safe levels and the reason for the reduction in tainting in recent times.

Suppose you are not much comfortable with Ruby and still wondering about whether you should proceed with Ruby or not. Don't worry, the coding ninja is here. There are the top 8 reasons why Ruby should be your first programming language!.

And for any further queries regarding Ruby you can visit here you will get answers to almost all of your queries.

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, React, JavaScript, System Design, etc. Refer to the mock test and problems; If you are looking for practice questions to enter in Tech Giants like Amazon, Microsoft, Uber, etc., you must look at the interview experiences and interview bundle for placement preparations. Do upvote our blog to help other ninjas grow.

Nevertheless, you may consider our paid courses to give your career an edge over others.

 “Happy Coding!”

 

 

Live masterclass