◀Table of Contents
Security
Please report security vulnerabilities via the process outlined in the reporting vulnerabilities guide. Specific guidelines for reporting security issues of the GraalVM project, including TruffleRuby, can be found in the SECURITY file.
Unimplemented Security Features
Ruby’s $SAFE
feature adds additional checks regarding how tainted data is used, but they are not always correct.
The checks for tainted data are likewise inconsistent and their implementation has been the subject of many vulnerabilities,
including regressions of previously fixed vulnerabilities, as detailed below.
Consensus in the Ruby community is that $SAFE
is a broken security feature that does not provide genuine safety and it will eventually be removed.
For these reasons, TruffleRuby will not let you enable the $SAFE
feature.
This does not disable a security feature that would normally be enabled - it prevents you from using a broken security feature.
This has the effect that $SAFE
and Thread#safe_level
are 0
and no other levels are implemented.
Trying to use level 1
will raise a SecurityError
.
Other levels will raise an ArgumentError
as in standard Ruby.
MRI Vulnerabilities
Vulnerabilities reported against MRI may apply to the design of Ruby or to code that we share with MRI. We list reported MRI vulnerabilities here and document how MRI has mitigated the vulnerability, if the mitigation is tested by anything, and how TruffleRuby has mitigated. We have not investigated all legacy vulnerabilities, as it is often very hard to work out the details from older reports.
Cross-reference with the details on the MRI website.
Number | Description | Their Mitigation | Test | Our Mitigation |
---|---|---|---|---|
CVE-2021-31810 | Trusting FTP PASV responses vulnerability in Net::FTP | Fix | Test | Same |
CVE-2021-32066 | A StartTLS stripping vulnerability in Net::IMAP | Fix | Test | Same |
CVE-2021-31799 | A command injection vulnerability in RDoc | Fix Backport | Test | Same |
CVE-2021-28966 | Path traversal in Tempfile on Windows | Sanitization of paths in tmpdir.rb | In test/mri/tests/test_tmpdir.rb |
Sanitization of paths in tmpdir.rb |
CVE-2021-28965 | XML round-trip vulnerability in REXML | Update to REXML 3.2.5 | In ruby/rexml | Update to REXML 3.2.5 |
CVE-2020-10663 | Unsafe Object Creation Vulnerability in JSON (Additional fix) | Fix | Spec | The pure Ruby version of JSON we use is safe |
CVE-2019-16255 | A code injection vulnerability of Shell#[] and Shell#test | Fix | MRI test | Same |
CVE-2019-16254 | HTTP response splitting in WEBrick (Additional fix) | Fix | MRI test | Same |
CVE-2019-15845 | A NUL injection vulnerability of File.fnmatch and File.fnmatch? | Fix | MRI test | Check for NUL bytes |
CVE-2019-16201 | Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication | Fix | MRI test | Same |
CVE-2012-6708 | Multiple jQuery vulnerabilities in RDoc | Remove jquery.js | N/A | Same |
CVE-2015-9251 | Multiple jQuery vulnerabilities in RDoc | Remove jquery.js | N/A | Same |
CVE-2019-8320 | Delete directory using symlink when decompressing tar |
Check the expanded path | Tested in MRI test/rubygems/test_gem_package.rb |
Applied the same patch |
CVE-2019-8321 | Escape sequence injection in verbose |
Sanitise message | Tested in ruby/spec :security |
Applied the same patch |
CVE-2019-8322 | Escape sequence injection in gem owner |
Sanitise message | Tested in ruby/spec :security |
Applied the same patch |
CVE-2019-8323 | Escape sequence injection vulnerability in API response handling | Sanitise message | Tested in ruby/spec :security |
Applied the same patch |
CVE-2019-8324 | Installing a malicious gem may lead to arbitrary code execution | Verifying gems before pre-install checks | Tested in MRI test/rubygems/test_gem_installer.rb |
Applied the same patch |
CVE-2019-8325 | Escape sequence injection in errors | Sanitise error messages | Tested in ruby/spec :security |
Applied the same patch |
CVE-2018-16395 | OpenSSL::X509::Name equality check does not work correctly |
|||
CVE-2018-16396 | Tainted flags are not propagated in Array#pack and String#unpack with some directives |
Additional taint operations | Tested in ruby/spec :security |
Additional taint operations |
CVE-2018-6914 | Unintentional file and directory creation with directory traversal in tempfile and tmpdir |
Sanitization of paths | Tested in ruby/spec :security |
Sanitization of paths |
CVE-2018-8779 | Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket |
Check for NUL bytes | Tested in ruby/spec :security |
Check for NUL bytes |
CVE-2018-8780 | Unintentional directory traversal by poisoned NUL byte in Dir |
Check for NUL bytes | Tested in ruby/spec :security |
Check for NUL bytes |
CVE-2018-8777 | DoS by large request in WEBrick | Logic for header length | Tested in MRI test/webrick/test_httpserver.rb |
Applied the same mitigation |
CVE-2017-17742 | HTTP response splitting in WEBrick | Logic for invalid headers | Tested in ruby/spec :security |
Applied the same mitigation |
CVE-2018-8778 | Buffer under-read in String#unpack | A range check | Tested in ruby/spec :security |
A range check |
CVE-2017-17405 | Command injection vulnerability in Net::FTP |
Treat paths in commands explicitly as paths, not general IO commands | Tested in MRI test/net/ftp/test_ftp.rb |
Applied the same mitigation |
CVE-2017-10784 | Escape sequence injection vulnerability in the Basic authentication of WEBrick | Proper escaping of logs | Tested in MRI test/webrick/test_httpauth.rb |
Applied the same mitigation |
CVE-2017-0898 | Buffer underrun vulnerability in Kernel.sprintf |
|||
CVE-2017-14033 | Buffer underrun vulnerability in OpenSSL ASN1 decode | |||
CVE-2017-14064 | Heap exposure vulnerability in generating JSON | |||
CVE-2017-0902, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901 | Multiple vulnerabilities in RubyGems | |||
CVE-2015-7551 | Unsafe tainted string usage in Fiddle and DL (regression of the mitigation of CVE-2009-5147) | Additional taint checks | Tested in MRI test/mri/tests/fiddle/test_handle.rb |
Not applicable as we do not support $SAFE , and the DL module was removed in Ruby 2.2.0 |
CVE-2015-1855 | Ruby OpenSSL Hostname Verification | |||
CVE-2014-8090 | Another Denial of Service XML Expansion | |||
CVE-2014-8080 | Denial of Service XML Expansion | Tested in ruby/spec :security |
||
None | Changed default settings of ext/openssl | |||
CVE-2014-2734 | Dispute of Vulnerability | |||
CVE-2014-0160 | OpenSSL Severe Vulnerability in TLS Heartbeat Extension | |||
CVE-2014-2525 | Heap Overflow in YAML URI Escape Parsing | |||
CVE-2013-4164 | Heap Overflow in Floating Point Parsing | Tested in ruby/spec :security |
||
CVE-2013-4073 | Hostname check bypassing vulnerability in SSL client | |||
CVE-2013-2065 | Object taint bypassing in DL and Fiddle in Ruby | Additional taint checks | Tested in MRI test/mri/tests/fiddle/test_func.rb |
Not applicable as we do not support $SAFE , and the DL module was removed in Ruby 2.2.0 |
CVE-2013-1821 | Entity expansion DoS vulnerability in REXML | |||
CVE-2013-0269 | Denial of Service and Unsafe Object Creation Vulnerability in JSON | |||
CVE-2013-0256 | XSS exploit of RDoc documentation generated by rdoc |
|||
CVE-2012-5371 | Hash-flooding DoS vulnerability for ruby 1.9 | |||
CVE-2012-4522 | Unintentional file creation caused by inserting a illegal NUL character | |||
CVE-2012-4464, CVE-2012-4466 | $SAFE escaping vulnerability about Exception#to_s / NameError#to_s |
Not applicable as we do not support $SAFE |
||
None | Security Fix for RubyGems: SSL server verification failure for remote repository | |||
CVE-2011-3389 | Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack | |||
CVE-2011-4815 | Denial of service attack was found for Ruby’s Hash algorithm (cross-reference CVE-2011-4838, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/urandom |
None | Exception methods can bypass $SAFE |
Not applicable as we do not support $SAFE |
||
None | FileUtils is vulnerable to symlink race attacks | |||
CVE-2010-0541 | XSS in WEBrick | |||
None | Buffer over-run in ARGF.inplace_mode= |
|||
None | WEBrick has an Escape Sequence Injection vulnerability | |||
CVE-2009-5147 | DL::dlopen opens libraries with tainted names |
Additional taint checks | The DL module does not exist in modern Ruby |
Not applicable as we do not support $SAFE , and the DL module was removed in Ruby 2.2.0 |
CVE-2009-4124 | Heap overflow in String |
|||
None | DoS vulnerability in BigDecimal |
|||
None | DoS vulnerability in REXML |
|||
CVE-2008-1447 | Multiple vulnerabilities in Ruby | |||
CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726, CVE-2008-2664, CVE-2008-1891 | Arbitrary code execution vulnerabilities | |||
None | File access vulnerability of WEBrick | |||
None | Net::HTTPS Vulnerability |
|||
JVN#84798830 | Another DoS Vulnerability in CGI Library | |||
CVE-2006-5467 | DoS Vulnerability in CGI Library | |||
VU#160012 | Ruby vulnerability in the safe level settings | Not applicable as we do not support $SAFE |
JRuby Vulnerabilities
TruffleRuby uses code from JRuby, so vulnerabilities reported against JRuby may apply to TruffleRuby.
Number | Description | Their Mitigation | Test | Our Mitigation |
---|---|---|---|---|
CVE-2012-5370 | JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/urandom |
CVE-2011-4838 | JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/urandom |
Rubinius Vulnerabilities
TruffleRuby uses code from Rubinius, so vulnerabilities reported against Rubinius may apply to TruffleRuby.
Number | Description | Their Mitigation | Test | Our Mitigation |
---|---|---|---|---|
CVE-2012-5372 | Rubinius computes hash values without properly restricting the ability to trigger hash collisions predictably (cross-reference CVE-2011-4815, CVE-2011-4838, CVE-2012-5370) | Hashes are made non-deterministic by incorporating output from /dev/urandom |
Tested in ruby/spec :security |
Hashes are made non-deterministic by incorporating a seed from /dev/urandom |
Java Dependency Vulnerabilities
JONI
No vulnerabilities are known.
JCodings
Number | Description | Their Mitigation | Test | Our Mitigation |
---|---|---|---|---|
CVE-2010-1330 | The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u' , does not properly handle characters immediately after a UTF-8 character |
Check byte sequences for the UTF-8 encoding when perform regexp operations | Tested in ruby/spec :security |
Applied the same mitigation |
Other Dependency Vulnerabilities
zlib
No vulnerabilities are known, but consider potential vulnerabilities in your system zlib
.
libssl
Consider potential vulnerabilities in your system libssl
.
FFI
Number | Description | Their Mitigation | Test | Our Mitigation |
---|---|---|---|---|
CVE-2018-1000201 | A DLL loading issue can be hijacked on Windows when a Symbol is used for the library name |
Treat Symbols the same as Strings in ffi_lib |
Applied the same mitigation, by using a version of FFI which fixed this vulnerability |
Notes on Hashing
TruffleRuby uses MurmurHash2
hashing with a seed from /dev/urandom
- it cannot be configured to use any other hashing algorithm.
For hashing strings, TruffleRuby uses Java’s hash algorithm (and then MurmurHash2
on top).