vedeu icon indicating copy to clipboard operation
vedeu copied to clipboard

Published 20 hours ago verified publisher icon gavinlaking

`compile': Insecure operation `compile' at level 1 (SecurityError)

Open KINGSABRI opened this issue 7 years ago • 9 comments

Hello, I'm getting the following error when I try to run any example OS: Ubuntu 16.04 TLS Ruby: 2.4

./empty_template.rb 
fatal: Not a git repository (or any of the parent directories): .git
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/lib/ruby/2.4.0/forwardable/impl.rb:6:in `compile': Insecure operation `compile' at level 1 (SecurityError)
        from /usr/lib/ruby/2.4.0/forwardable/impl.rb:6:in `_valid_method?'
        from /usr/lib/ruby/2.4.0/forwardable.rb:201:in `_delegator_method'
        from /usr/lib/ruby/2.4.0/forwardable.rb:180:in `def_instance_delegator'
        from /usr/lib/ruby/2.4.0/forwardable.rb:156:in `block in def_instance_delegators'
        from /usr/lib/ruby/2.4.0/forwardable.rb:155:in `each'
        from /usr/lib/ruby/2.4.0/forwardable.rb:155:in `def_instance_delegators'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/server.rb:256:in `<module:Vedeu>'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/server.rb:3:in `<top (required)>'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/all.rb:31:in `require'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/all.rb:31:in `<top (required)>'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/all.rb:36:in `require'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/all.rb:36:in `<top (required)>'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu.rb:109:in `require'
        from /var/lib/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu.rb:109:in `<top (required)>'
        from ./empty_template.rb:6:in `require'
        from ./empty_template.rb:6:in `<main>'

KINGSABRI avatar Feb 18 '17 18:02 KINGSABRI

Hi,

Sorry for the delay in replying to this. I've got a branch which fixes this issue, however, it is failing on CI at the moment. (https://github.com/gavinlaking/vedeu/pull/387) I need to investigate, fix, merge and release that, and then you should be good to go.

Kind Regards,

Gav

gavinlaking avatar Feb 26 '17 10:02 gavinlaking

+1, same to me.

OS: Mac OSX Ruby: 2.4

$ bundle exec src/examples/dsl_alignment.rb
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
/usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/common.rb:102: warning: constant ::Fixnum is deprecated
bundler: failed to load command: src/examples/dsl_alignment.rb (src/examples/dsl_alignment.rb)
SecurityError: Insecure operation `compile' at level 1
  /usr/local/Cellar/ruby/2.4.0/lib/ruby/2.4.0/forwardable/impl.rb:6:in `compile'
  /usr/local/Cellar/ruby/2.4.0/lib/ruby/2.4.0/forwardable/impl.rb:6:in `_valid_method?'
  /usr/local/Cellar/ruby/2.4.0/lib/ruby/2.4.0/forwardable.rb:201:in `_delegator_method'
  /usr/local/Cellar/ruby/2.4.0/lib/ruby/2.4.0/forwardable.rb:180:in `def_instance_delegator'
  /usr/local/Cellar/ruby/2.4.0/lib/ruby/2.4.0/forwardable.rb:156:in `block in def_instance_delegators'
  /usr/local/Cellar/ruby/2.4.0/lib/ruby/2.4.0/forwardable.rb:155:in `each'
  /usr/local/Cellar/ruby/2.4.0/lib/ruby/2.4.0/forwardable.rb:155:in `def_instance_delegators'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/server.rb:256:in `<module:Vedeu>'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/server.rb:3:in `<top (required)>'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/all.rb:31:in `require'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/distributed/all.rb:31:in `<top (required)>'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/all.rb:36:in `require'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu/all.rb:36:in `<top (required)>'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu.rb:109:in `require'
  /usr/local/lib/ruby/gems/2.4.0/gems/vedeu-0.8.32/lib/vedeu.rb:109:in `<top (required)>'
  src/examples/dsl_alignment.rb:6:in `require'
  src/examples/dsl_alignment.rb:6:in `<top (required)>'

janckerchen avatar Mar 21 '17 04:03 janckerchen

Is there a workaround?

indrekj avatar Sep 20 '17 15:09 indrekj

ping

mat813 avatar Dec 08 '17 15:12 mat813

Superficial review here. Ruby 2.4.3.

The issue is because of the use of $SAFE = 1 here https://github.com/gavinlaking/vedeu/blob/master/lib/vedeu/distributed/server.rb#L17. Setting that to 0 resolves the issue, but that's (likely) a very bad idea.

Perhaps the general problem is that $SAFE = 0 is needed for the testing framework or the offending file should not be required for all tests as it is now (currently everything seems to be required (https://github.com/gavinlaking/vedeu/blob/master/lib/vedeu/all.rb) for all tests?

mjy avatar Dec 31 '17 18:12 mjy

This appears to be happening because of a change introduced in forwardable. A method was added to check validity of delegated method valid_method?. This method attempts to compile the delegated method (which is using eval?):

iseq = RubyVM::InstructionSequence.compile("().#{method}", nil, nil, 0, false)

This was introduced here:

https://github.com/ruby/ruby/commit/2283d14cc9fefa278dfde02bdf8d84ce50cfe16f#diff-f8ad465135e9b25d06e71454b6e18317R6

Sadly, my knowledge of InstructionSequence is.. limited (non-existent).. so that's all I can say on the matter. Hopefully it helps you better figure out the issue.

Having said that, the quick, simple fix is to replace the delegated methods with proxy methods, as in this PR (local tests passing but your CI is broken as you are already aware):

https://github.com/gavinlaking/vedeu/pull/392

Let me know if you want me to clean anything up.

From Thailand with love :heart:

damien-roche avatar Mar 28 '18 22:03 damien-roche

Any progress on this?

Inhakki avatar Aug 22 '18 02:08 Inhakki

Same here.

ghost avatar Sep 22 '18 23:09 ghost

Just stumbled upon the same problem on macOS 10.14.5 with Ruby 2.6.3

bolandross avatar May 26 '19 15:05 bolandross