COI tool permissions issues

[Craig Russell <ap...@gmail.com>]

It appears that there are some issues with tainting that I do not understand. Thanks to sebb for sorting the immediate issues that kept the tool from working. I still do not understand why the coi.cgi script worked locally with setupmymac but failed when running in the whimsy server environment.

The problems that I had raise some higher level issues worth discussing.

There are at least three ways I know of to use svn from cgi scripts:
- construct svn commands and call the system to execute them
- use svn to prepare svn commands and execute them
- use svn_ to prepare svn commands and execute them

User and password are available as global constants $USER and $PASSWORD. But they are also available in some environments via the "_" variable and ENV.

I'd like to have some best practices documented:

Which technique for executing svn is appropriate?

How should credentials be passed from one layer to the next? 

Which code should be responsible for untainting variables?

And while we are discussing structure of code, what kinds of things are appropriate for "top level" execution in the cgi script (outside of a function definition)? What things are appropriate for inside functions? What things are appropriate for directly executing within the _html section, the _body section, the _whimsy_body section, and the do block following the _whimsy_body section?

Craig L Russell
clr@apache.org

Re: COI tool permissions issues

[Sam Ruby <ru...@intertwingly.net>]

Unfortunately, support for tainting is going away by Ruby 3.2  And in
Ruby 2.7 was scaled back to the point of being unusable[1].

Given this, over time we will need to move from a strategy of relying
exclusively on making checks at the point of entry to complementing
those checks at points where calls out to the file system and system
calls are made.  This will be important as we move to Ubuntu 20.04
which includes Ruby 2.7 by default.

- Sam Ruby

[1] https://blog.saeloun.com/2020/02/18/ruby-2-7-access-and-setting-of-safe-warned-will-become-global-variable.html

On Tue, Jun 30, 2020 at 2:15 PM Matt Sicker <bo...@gmail.com> wrote:
>
> Tainting is a way of keeping track whether or not user input has been
> validated before being used in a potentially unsafe context like
> executing commands. It's the Ruby equivalent of handling SQL injection
> but for general injection tracking.
>
> On Fri, 26 Jun 2020 at 12:45, Craig Russell <ap...@gmail.com> wrote:
> >
> > It appears that there are some issues with tainting that I do not understand. Thanks to sebb for sorting the immediate issues that kept the tool from working. I still do not understand why the coi.cgi script worked locally with setupmymac but failed when running in the whimsy server environment.
> >
> > The problems that I had raise some higher level issues worth discussing.
> >
> > There are at least three ways I know of to use svn from cgi scripts:
> > - construct svn commands and call the system to execute them
> > - use svn to prepare svn commands and execute them
> > - use svn_ to prepare svn commands and execute them
> >
> > User and password are available as global constants $USER and $PASSWORD. But they are also available in some environments via the "_" variable and ENV.
> >
> > I'd like to have some best practices documented:
> >
> > Which technique for executing svn is appropriate?
> >
> > How should credentials be passed from one layer to the next?
> >
> > Which code should be responsible for untainting variables?
> >
> > And while we are discussing structure of code, what kinds of things are appropriate for "top level" execution in the cgi script (outside of a function definition)? What things are appropriate for inside functions? What things are appropriate for directly executing within the _html section, the _body section, the _whimsy_body section, and the do block following the _whimsy_body section?
> >
> > Craig L Russell
> > clr@apache.org
> >
>
>
> --
> Matt Sicker <bo...@gmail.com>

Re: COI tool permissions issues

[Matt Sicker <bo...@gmail.com>]

Tainting is a way of keeping track whether or not user input has been
validated before being used in a potentially unsafe context like
executing commands. It's the Ruby equivalent of handling SQL injection
but for general injection tracking.

On Fri, 26 Jun 2020 at 12:45, Craig Russell <ap...@gmail.com> wrote:
>
> It appears that there are some issues with tainting that I do not understand. Thanks to sebb for sorting the immediate issues that kept the tool from working. I still do not understand why the coi.cgi script worked locally with setupmymac but failed when running in the whimsy server environment.
>
> The problems that I had raise some higher level issues worth discussing.
>
> There are at least three ways I know of to use svn from cgi scripts:
> - construct svn commands and call the system to execute them
> - use svn to prepare svn commands and execute them
> - use svn_ to prepare svn commands and execute them
>
> User and password are available as global constants $USER and $PASSWORD. But they are also available in some environments via the "_" variable and ENV.
>
> I'd like to have some best practices documented:
>
> Which technique for executing svn is appropriate?
>
> How should credentials be passed from one layer to the next?
>
> Which code should be responsible for untainting variables?
>
> And while we are discussing structure of code, what kinds of things are appropriate for "top level" execution in the cgi script (outside of a function definition)? What things are appropriate for inside functions? What things are appropriate for directly executing within the _html section, the _body section, the _whimsy_body section, and the do block following the _whimsy_body section?
>
> Craig L Russell
> clr@apache.org
>


-- 
Matt Sicker <bo...@gmail.com>