I have a perhaps-naive question about section 8.7 on command-line injection:
The code
system(``"/bin/echo"``,``"hello; rm *"``)
# prints "hello; rm *" and does not delete files
is given as an example of a way to sanitize inputs to the system command, but if the attacker can change the second argument here, then this is vulnerable to
system(``"/bin/echo"``,``"rm *`").```
So I think this is a bad example, although I’m not sure what to replace it with, and I am too inexperienced to feel confident changing the ruby guide myself.