security question

rubyonrails-docs
#1

Hi all,

I have a perhaps-naive question about section 8.7 on command-line injection:

http://guides.rubyonrails.org/security.html#command-line-injection

The code

system(``"/bin/echo"``,``"hello; rm *"``)

# prints "hello; rm *" and does not delete files

is given as an example of a way to sanitize inputs to the system command, but if the attacker can change the second argument here, then this is vulnerable to

system(``"/bin/echo"``,``"rm *`").```

So I think this is a bad example, although I’m not sure what to replace it with, and I am too inexperienced to feel confident changing the ruby guide myself.

-aram

#2

Nope. System, in multiple argument mode, does not evaluate the arguments with the shell. So ``, $foo, ~/ etc don’t get evaluated.

$ irb

system ‘/bin/echo’, ‘rm *

rm *

=> true

#3

When system/exec are given several arguments there is no shell expansion going on:

1.9.3-p194 :001 > system("/bin/echo", “ls”)

ls

=> true

More Resources

Keep up to date with Rails on Twitter and This Week in Rails

Policies: Conduct, License, Maintenance, Security, Trademarks