什么是被污染的物体?什么时候应该去污染它们? [英] What are tainted objects, and when should we untaint them?

问题描述

何时需要对Ruby对象进行污染，我们何时应对其进行污染?污染对象的概念如何使Ruby脚本在安全模式下运行?任何人都可以在此进行详细说明，以通过一些代码片段使概念更清晰吗?

When do Ruby objects need to be made tainted and when should we untaint them? How does the concept of tainted object make a Ruby script run in safe mode? Can anyone elaborate on this to make the concept clear with some code snippets?

推荐答案

什么是受污染的?

根据定义，用户输入已被污染.例如:

What is Tainted?

User input is tainted, by definition. For example:

string = gets
string.tainted?
# => true

您还可以手动污染对象.

You can also manually taint an object.

string = 'Not yet tainted.'
string.tainted?
# => false

(string = 'Explicitly taint me!').taint
string.tainted?
# => true

为什么要弄清物体?

通常，只有在验证和/或消毒对象后，您才可以对其进行污染.如果您不想在不受信任的字符串或其他对象上运行某些操作，或者在您的安全级别要求使用未受污染的对象来执行所需的操作时，取消对象的安全性将其标记为安全".

Why Untaint an Object?

Generally, you would untaint an object only after you validate and/or sanitize it. Untainting an object marks it as "safe" for certain operations that you wouldn't want to run on untrusted strings or other objects, or when your safe level requires an untainted object to perform the desired operation.

取消污染对象的最简单方法是调用

The easiest way to untaint an object is to call the Object#untaint method on it. For example, if your string variable holds a tainted object, then:

(string = "Let's taint this string!").taint
string.untaint.tainted?
# => false

关于污染物体的更多信息

您可以从将Ruby锁定在保险箱中找到有关受污染对象的更多信息 章节.

More About Tainted Objects

You can find out more about tainted objects from the Locking Ruby in the Safe chapter of Programming Ruby.

这篇关于什么是被污染的物体?什么时候应该去污染它们?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！