Command Injection
Some Ruby core methods accept string data that includes text to be executed as a system command.
They should not be called with unknown or unsanitized commands.
These methods include:
Kernel.execKernel.spawnKernel.systemcommand(backtick method) (also called by the expression %x).IO.popen(when called with other than "-").
Some methods execute a system command only if the given path name starts with a |:
Kernel.open(command).IO.read(command).IO.write(command).IO.binread(command).IO.binwrite(command).IO.readlines(command).IO.foreach(command).URI.open(command).
Note that some of these methods do not execute commands when called
from subclass File:
File.read(path).File.write(path).File.binread(path).File.binwrite(path).File.readlines(path).File.foreach(path).