Skip to content

[REVERTED] [Ruby] force users to specify the temp folder path to address security concerns #8730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wing328 merged 3 commits into from
Feb 20, 2021
Merged

[REVERTED] [Ruby] force users to specify the temp folder path to address security concerns #8730

wing328 merged 3 commits into from
Feb 20, 2021

Conversation

@wing328
Copy link
Member

@wing328 wing328 commented Feb 17, 2021
edited
Loading

  • force users to specify the temp folder path to address security concerns as the default location of the temp folder can be read by any users.
  • if the temp folder path is not set, an exception will be thrown

PR checklist

  • Read the contribution guidelines.
  • Pull Request title clearly describes the work in the pull request and Pull Request description provides details about how to validate the work. Missing information here may result in delayed response from the community.
  • Run the following to build the project and update samples: 
    ./mvnw clean package 
./bin/generate-samples.sh
./bin/utils/export_docs_generators.sh
    Commit all changed files.
    This is important, as CI jobs will verify all generator outputs of your HEAD commit as it would merge with master.
    These must match the expectations made by your contribution.
    You may regenerate an individual generator by passing the relevant config(s) as an argument to the script, for example ./bin/generate-samples.sh bin/configs/java*.
    For Windows users, please run the script in Git BASH.
  • File the PR against the correct branch: master, 5.1.x, 6.0.x
  • If your PR is targeting a particular programming language, @mention the technical committee members, so they are more likely to review the pull request.

cc @cliffano (2017/07) @zlx (2017/09) @autopp (2019/02)

@wing328 wing328 added this to the 5.1.0 milestone Feb 17, 2021
@wing328 wing328 marked this pull request as ready for review February 18, 2021 01:51
@wing328 wing328 merged commit 18a6f5a into master Feb 20, 2021
@wing328 wing328 deleted the ruby-fix-tmp branch February 20, 2021 03:49
@JLLeitschuh
Copy link
Contributor

JLLeitschuh commented Feb 22, 2021

Hey @wing328,

This may not be needed. It looks like the Ruby TempDir is safe because of the file permissions that it sets.

https://github.com/ruby/tempfile/blob/68859c2b50cb7547c760fd83fb317f35da3a15fa/lib/tempfile.rb#L139-L143

@wing328
Copy link
Member Author

wing328 commented Feb 23, 2021

You're right:

ls -l /var/folders/sq/v633xdj94hz1jcq91qw5bkc40000gn/T/some_prefix20210223-29375-kpakg3
-rw-------  1 staff     0B Feb 23 20:38 /var/folders/sq/v633xdj94hz1jcq91qw5bkc40000gn/T/some_prefix20210223-29375-kpakg3

Confirmed it's not readable by everyone. Will revert the change.

wing328 added a commit that referenced this pull request Feb 23, 2021
@wing328
Revert "[Ruby] force users to specify the temp folder path to address…
fb213cc 
… security concerns (#8730)"

This reverts commit 18a6f5a.
@wing328 wing328 mentioned this pull request Feb 23, 2021
Merged
5 tasks
wing328 added a commit that referenced this pull request Feb 23, 2021
@wing328
Revert "[Ruby] force users to specify the temp folder path to address…
c653051 
… security concerns (#8730)" (#8807)

This reverts commit 18a6f5a.
@wing328 wing328 removed this from the 5.1.0 milestone Mar 20, 2021
@wing328
Copy link
Member Author

wing328 commented Mar 20, 2021

the change has been reverted.

@wing328 wing328 modified the milestone: 5.1.1 Apr 30, 2021
@wing328 wing328 changed the title [Ruby] force users to specify the temp folder path to address security concerns [REVERTED] [Ruby] force users to specify the temp folder path to address security concerns May 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Breaking change (with fallback) Client: Ruby Enhancement: Security

Projects

None yet

Milestone

5.1.1

Development

Successfully merging this pull request may close these issues.

3 participants

@wing328 @JLLeitschuh