search

emancu / toml-rb

A parser for TOML using Citrus library.
MIT License
104 stars 39 forks source link

[Security] Files are writable to every user after installation #139

Closed SimonHoenscheid closed 1 year ago

SimonHoenscheid commented 1 year ago

This topic came up, after IT Security scanned some servers wer are using the gem on. I validated this on different linux systems and macOS. Is there a need for the 0666 file permissions after installation? Generally 0664, 0644, 0640 or even lower should be sufficient here. I had a look at the gem and could not find the code which modifies the files.

file permissions in Git:

-rw-r--r-- 1 1,0K 30 Nov 09:55 LICENSE -rw-r--r-- 1 2,8K 30 Nov 09:55 README.md -rw-r--r-- 1 2,7K 30 Nov 09:55 lib/toml-rb.rb -rw-r--r-- 1 153B 30 Nov 09:55 lib/toml-rb/array.rb -rw-r--r-- 1 1,0K 30 Nov 09:55 lib/toml-rb/datetime.rb -rw-r--r-- 1 2,7K 30 Nov 09:55 lib/toml-rb/dumper.rb -rw-r--r-- 1 350B 30 Nov 09:55 lib/toml-rb/errors.rb -rw-r--r-- 1 727B 30 Nov 09:55 lib/toml-rb/grammars/array.citrus -rw-r--r-- 1 1,2K 30 Nov 09:55 lib/toml-rb/grammars/document.citrus -rw-r--r-- 1 244B 30 Nov 09:55 lib/toml-rb/grammars/helper.citrus -rw-r--r-- 1 3,0K 30 Nov 09:55 lib/toml-rb/grammars/primitive.citrus -rw-r--r-- 1 559B 30 Nov 09:55 lib/toml-rb/inline_table.rb -rw-r--r-- 1 1,5K 30 Nov 09:55 lib/toml-rb/keyvalue.rb -rw-r--r-- 1 1,1K 30 Nov 09:55 lib/toml-rb/parser.rb -rw-r--r-- 1 1,4K 30 Nov 09:55 lib/toml-rb/string.rb -rw-r--r-- 1 1,1K 30 Nov 09:55 lib/toml-rb/table.rb -rw-r--r-- 1 1,2K 30 Nov 09:55 lib/toml-rb/table_array.rb -rw-r--r-- 1 69B 30 Nov 09:55 lib/toml-rb/version.rb

after installation:

-rw-rw-rw- 1 1,0K 30 Nov 10:04 LICENSE -rw-rw-rw- 1 2,8K 30 Nov 10:04 README.md -rw-rw-rw- 1 2,7K 30 Nov 10:04 lib/toml-rb.rb -rw-rw-rw- 1 153B 30 Nov 10:04 lib/toml-rb/array.rb -rw-rw-rw- 1 1,0K 30 Nov 10:04 lib/toml-rb/datetime.rb -rw-rw-rw- 1 2,7K 30 Nov 10:04 lib/toml-rb/dumper.rb -rw-rw-rw- 1 350B 30 Nov 10:04 lib/toml-rb/errors.rb -rw-rw-rw- 1 727B 30 Nov 10:04 lib/toml-rb/grammars/array.citrus -rw-rw-rw- 1 1,2K 30 Nov 10:04 lib/toml-rb/grammars/document.citrus -rw-rw-rw- 1 244B 30 Nov 10:04 lib/toml-rb/grammars/helper.citrus -rw-rw-rw- 1 3,0K 30 Nov 10:04 lib/toml-rb/grammars/primitive.citrus -rw-rw-rw- 1 559B 30 Nov 10:04 lib/toml-rb/inline_table.rb -rw-rw-rw- 1 1,5K 30 Nov 10:04 lib/toml-rb/keyvalue.rb -rw-rw-rw- 1 1,1K 30 Nov 10:04 lib/toml-rb/parser.rb -rw-rw-rw- 1 1,4K 30 Nov 10:04 lib/toml-rb/string.rb -rw-rw-rw- 1 1,1K 30 Nov 10:04 lib/toml-rb/table.rb -rw-rw-rw- 1 1,2K 30 Nov 10:04 lib/toml-rb/table_array.rb -rw-rw-rw- 1 69B 30 Nov 10:04 lib/toml-rb/version.rb

emancu commented 1 year ago

@SimonHoenscheid I agree. I don't think there is a need for the 0666 file permissions. However, I don't see a relationship between the gem and your installation process.

When you clone the repo, file permissions are correct, as you flagged. I gues it is a problem with the dependency manager or the way you use to install gems 🤔

What is your dependency manager? (including version) Does that happen with toml-rb only? Or there are other gems with the same "problem"?

SimonHoenscheid commented 1 year ago

@emancu what do you mean by dependency manager? A tool like bundle? I just tried with gem install. I checked with normal ruby, but the issue was initially discovered inside a puppet installation using jRuby.

emancu commented 1 year ago

@SimonHoenscheid yeah, I meant bundle or just gem install.

🤔 I don't see a problem with toml-rb in particular, if you clone the repository and point your GEM PATH to it, you will get the right permissions, so I assume it is a problem with the tools you use to install gems. What about other gems?

On the other hand, if you know what is wrong with toml-rb and you want to fix it, I'm happy to review a PR fixing this problem.