[GR-15198] Remove todos in security documentation.

nirvdrum · nirvdrum · commit a0c4b471f291 · 2019-05-01T21:13:01.000-07:00
PullRequest: truffleruby/831
diff --git a/doc/user/security.md b/doc/user/security.md
@@ -25,13 +25,12 @@ Other levels will raise `ArgumentError` as in standard Ruby.
 
 ## MRI Vulnerabilities
 
-Vulnerabilities reported against MRI may apply to the design of Ruby or to code
-that we share with MRI. We list reported MRI vulnerabilities here and document
-how MRI has mitigated the vulnerability, if the mitigation is tested by
-anything, and how TruffleRuby has mitigated.
-
-Note that *todo* means we just haven't researched and filled the details in
-yet - not that we either believe TruffleRuby is vulnerable or not.
+Vulnerabilities reported against MRI may apply to the design of Ruby or to
+code that we share with MRI. We list reported MRI vulnerabilities here and
+document how MRI has mitigated the vulnerability, if the mitigation is tested
+by anything, and how TruffleRuby has mitigated. We haven't investigated all
+legacy vulnerabilities, as it's often very hard to work out the details from
+older reports.
 
 Cross-reference with the details on the MRI website
 https://www.ruby-lang.org/en/security/.
@@ -44,7 +43,7 @@ CVE-2019-8322 | Escape sequence injection in `gem owner` | Sanitise message | Te
 CVE-2019-8323 | Escape sequence injection vulnerability in API response handling | Sanitise message | Tested in `ruby/spec` `:security` | Applied the same patch
 CVE-2019-8324 | Installing a malicious gem may lead to arbitrary code execution | Verifying gems before pre-install checks | Tested in MRI `test/rubygems/test_gem_installer.rb` | Applied the same patch
 CVE-2019-8325 | Escape sequence injection in errors | Sanitise error messages | Tested in `ruby/spec` `:security` | Applied the same patch
-CVE-2018-16395 | `OpenSSL::X509::Name` equality check does not work correctly | *todo* | *todo* | *todo*
+CVE-2018-16395 | `OpenSSL::X509::Name` equality check does not work correctly | | |
 CVE-2018-16396 | Tainted flags are not propagated in `Array#pack` and `String#unpack` with some directives | Additional taint operations | Tested in `ruby/spec` `:security` | Additional taint operations
 CVE-2018-6914 | Unintentional file and directory creation with directory traversal in `tempfile` and `tmpdir` | Sanitization of paths | Tested in `ruby/spec` `:security` | Sanitization of paths
 CVE-2018-8779 | Unintentional socket creation by poisoned NUL byte in `UNIXServer` and `UNIXSocket` | Check for NUL bytes | Tested in `ruby/spec` `:security` | Check for NUL bytes
@@ -54,46 +53,46 @@ CVE-2017-17742 | HTTP response splitting in WEBrick | Logic for invalid headers
 CVE-2018-8778 | Buffer under-read in String#unpack | A range check | Tested in `ruby/spec` `:security` | A range check
 CVE-2017-17405 | Command injection vulnerability in `Net::FTP` | Treat paths in commands explicitly as paths, not general IO commands | Tested in MRI `test/net/ftp/test_ftp.rb` | Applied the same mitigation
 CVE-2017-10784 | Escape sequence injection vulnerability in the Basic authentication of WEBrick | Proper escaping of logs | Tested in MRI `test/webrick/test_httpauth.rb` | Applied the same mitigation
-CVE-2017-0898 | Buffer underrun vulnerability in `Kernel.sprintf` | *todo* | *todo* | *todo*
-CVE-2017-14033 | Buffer underrun vulnerability in OpenSSL ASN1 decode | *todo* | *todo* | *todo*
-CVE-2017-14064 | Heap exposure vulnerability in generating JSON | *todo* | *todo* | *todo*
-CVE-2017-0902, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901 | Multiple vulnerabilities in RubyGems | *todo* | *todo* | *todo*
+CVE-2017-0898 | Buffer underrun vulnerability in `Kernel.sprintf` | | |
+CVE-2017-14033 | Buffer underrun vulnerability in OpenSSL ASN1 decode | | |
+CVE-2017-14064 | Heap exposure vulnerability in generating JSON | | |
+CVE-2017-0902, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901 | Multiple vulnerabilities in RubyGems | | |
 CVE-2015-7551 | Unsafe tainted string usage in Fiddle and DL (regression of the mitigation of CVE-2009-5147) | Additional taint checks | Tested in MRI `test/mri/tests/fiddle/test_handle.rb` | Not applicable as we do not support `$SAFE`, and the `DL` module was removed in Ruby 2.2.0
-CVE-2015-1855 | Ruby OpenSSL Hostname Verification | *todo* | *todo* | *todo*
-CVE-2014-8090 | Another Denial of Service XML Expansion | *todo* | *todo* | *todo*
-CVE-2014-8080 | Denial of Service XML Expansion | *todo* | Tested in `ruby/spec` `:security` | *todo*
-None | Changed default settings of ext/openssl | *todo* | *todo* | *todo*
-CVE-2014-2734 | Dispute of Vulnerability | *todo* | *todo* | *todo*
-CVE-2014-0160 | OpenSSL Severe Vulnerability in TLS Heartbeat Extension | *todo* | *todo* | *todo*
-CVE-2014-2525 | Heap Overflow in YAML URI Escape Parsing | *todo* | *todo* | *todo*
-CVE-2013-4164 | Heap Overflow in Floating Point Parsing  | *todo* | Tested in `ruby/spec` `:security` | *todo*
-CVE-2013-4073 | Hostname check bypassing vulnerability in SSL client | *todo* | *todo* | *todo*
+CVE-2015-1855 | Ruby OpenSSL Hostname Verification | | |
+CVE-2014-8090 | Another Denial of Service XML Expansion | | |
+CVE-2014-8080 | Denial of Service XML Expansion | | Tested in `ruby/spec` `:security` |
+None | Changed default settings of ext/openssl | | |
+CVE-2014-2734 | Dispute of Vulnerability | | |
+CVE-2014-0160 | OpenSSL Severe Vulnerability in TLS Heartbeat Extension | | |
+CVE-2014-2525 | Heap Overflow in YAML URI Escape Parsing | | |
+CVE-2013-4164 | Heap Overflow in Floating Point Parsing  | | Tested in `ruby/spec` `:security` |
+CVE-2013-4073 | Hostname check bypassing vulnerability in SSL client | | |
 CVE-2013-2065 | Object taint bypassing in DL and Fiddle in Ruby | Additional taint checks | Tested in MRI `test/mri/tests/fiddle/test_func.rb` | Not applicable as we do not support `$SAFE`, and the `DL` module was removed in Ruby 2.2.0
-CVE-2013-1821 | Entity expansion DoS vulnerability in REXML | *todo* | *todo* | *todo*
-CVE-2013-0269 | Denial of Service and Unsafe Object Creation Vulnerability in JSON | *todo* | *todo* | *todo*
-CVE-2013-0256 | XSS exploit of RDoc documentation generated by `rdoc` | *todo* | *todo* | *todo*
-CVE-2012-5371 | Hash-flooding DoS vulnerability for ruby 1.9 | *todo* | *todo* | *todo*
-CVE-2012-4522 | Unintentional file creation caused by inserting a illegal NUL character | *todo* | *todo* | *todo*
-CVE-2012-4464, CVE-2012-4466  | $SAFE escaping vulnerability about `Exception#to_s` / `NameError#to_s` | *todo* | *todo* | Not applicable as we do not support `$SAFE`
-None | Security Fix for RubyGems: SSL server verification failure for remote repository | *todo* | *todo* | *todo*
-CVE-2011-3389 | Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack | *todo* | *todo* | *todo*
+CVE-2013-1821 | Entity expansion DoS vulnerability in REXML | | |
+CVE-2013-0269 | Denial of Service and Unsafe Object Creation Vulnerability in JSON | | |
+CVE-2013-0256 | XSS exploit of RDoc documentation generated by `rdoc` | | |
+CVE-2012-5371 | Hash-flooding DoS vulnerability for ruby 1.9 | | |
+CVE-2012-4522 | Unintentional file creation caused by inserting a illegal NUL character | | |
+CVE-2012-4464, CVE-2012-4466  | $SAFE escaping vulnerability about `Exception#to_s` / `NameError#to_s` | | | Not applicable as we do not support `$SAFE`
+None | Security Fix for RubyGems: SSL server verification failure for remote repository | | |
+CVE-2011-3389 | Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack | | |
 CVE-2011-4815 | Denial of service attack was found for Ruby's Hash algorithm (cross-reference CVE-2011-4838, CVE-2012-5370, CVE-2012-5372) | Hashes are made non-deterministic by incorporating process start time | Tested in `ruby/spec` `:security` | Hashes are made non-deterministic by incorporating a seed from `/dev/urandom`
-None | Exception methods can bypass `$SAFE` | *todo* | *todo* | Not applicable as we do not support `$SAFE`
-None | FileUtils is vulnerable to symlink race attacks | *todo* | *todo* | *todo*
-CVE-2010-0541 | XSS in WEBrick | *todo* | *todo* | *todo*
-None | Buffer over-run in `ARGF.inplace_mode=` | *todo* | *todo* | *todo*
-None | WEBrick has an Escape Sequence Injection vulnerability | *todo* | *todo* | *todo*
+None | Exception methods can bypass `$SAFE` || | Not applicable as we do not support `$SAFE`
+None | FileUtils is vulnerable to symlink race attacks | | |
+CVE-2010-0541 | XSS in WEBrick | | |
+None | Buffer over-run in `ARGF.inplace_mode=` | | |
+None | WEBrick has an Escape Sequence Injection vulnerability | | |
 CVE-2009-5147 | `DL::dlopen` opens libraries with tainted names | Additional taint checks | The `DL` module does not exist in modern Ruby | Not applicable as we do not support `$SAFE`, and the `DL` module was removed in Ruby 2.2.0
-CVE-2009-4124 | Heap overflow in `String` | *todo* | *todo* | *todo*
-None | DoS vulnerability in `BigDecimal` | *todo* | *todo* | *todo*
-None | DoS vulnerability in `REXML` | *todo* | *todo* | *todo*
-CVE-2008-1447 | Multiple vulnerabilities in Ruby | *todo* | *todo* | *todo*
-CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726, CVE-2008-2664, CVE-2008-1891 | Arbitrary code execution vulnerabilities | *todo* | *todo* | *todo*
-None | File access vulnerability of WEBrick | *todo* | *todo* | *todo*
-None | `Net::HTTPS` Vulnerability | *todo* | *todo* | *todo*
-JVN#84798830 | Another DoS Vulnerability in CGI Library | *todo* | *todo* | *todo*
-CVE-2006-5467 | DoS Vulnerability in CGI Library | *todo* | *todo* | *todo*
-VU#160012 | Ruby vulnerability in the safe level settings | *todo* | *todo* | Not applicable as we do not support `$SAFE`
+CVE-2009-4124 | Heap overflow in `String` | | |
+None | DoS vulnerability in `BigDecimal` | | |
+None | DoS vulnerability in `REXML` | | |
+CVE-2008-1447 | Multiple vulnerabilities in Ruby | | |
+CVE-2008-2662, CVE-2008-2663, CVE-2008-2725, CVE-2008-2726, CVE-2008-2664, CVE-2008-1891 | Arbitrary code execution vulnerabilities | | |
+None | File access vulnerability of WEBrick | | |
+None | `Net::HTTPS` Vulnerability | | |
+JVN#84798830 | Another DoS Vulnerability in CGI Library | | |
+CVE-2006-5467 | DoS Vulnerability in CGI Library | | |
+VU#160012 | Ruby vulnerability in the safe level settings | | | Not applicable as we do not support `$SAFE`
 
 ## JRuby Vulnerabilities
 
