Product SiteDocumentation Site

2.1.1. Object.tainted?

Each object in Ruby carries a taint flag which marks it as originating from unsafe source. Additionally, any object derived from tainted object is also tainted. Objects that come from external environment are automatically marked as tainted, which includes command line arguments (ARGV), environment variables (ENV), data read from files, sockets or other streams. Environment variable PATH is exception: it is tainted only if it contains a world-writable directory.
To check whether object is tainted and change taintedness of object, use methods Object.tainted?, Object.taint and Object.untaint:
>> input = gets
=> "exploitable\n"
>> input.tainted?
=> true
>> input.untaint
=> "exploitable\n"
>> input.tainted?
=> false


Literals (such as numbers or symbols) are exception: they do not carry taint flag and are always untainted.