Command Injection
Some Ruby core methods accept string data that includes text to be executed as a system command.
They should not be called with unknown or unsanitized commands.
These methods include:
-
Kernel.exec
-
Kernel.spawn
-
Kernel.system
-
command
(backtick method) (also called by the expression%x[command]
). -
IO.popen (when called with other than
"-"
).
Some methods execute a system command only if the given path name starts with a |
:
-
Kernel.open(command).
-
IO.read(command).
-
IO.write(command).
-
IO.binread(command).
-
IO.binwrite(command).
-
IO.readlines(command).
-
IO.foreach(command).
-
URI.open(command).
Note that some of these methods do not execute commands when called from subclass File
:
-
File.read(path).
-
File.write(path).
-
File.binread(path).
-
File.binwrite(path).
-
File.readlines(path).
-
File.foreach(path).