2023-11-14 09:39:10 +03:00
|
|
|
= Command Injection
|
2022-02-18 15:46:04 +03:00
|
|
|
|
|
|
|
Some Ruby core methods accept string data
|
|
|
|
that includes text to be executed as a system command.
|
|
|
|
|
|
|
|
They should not be called with unknown or unsanitized commands.
|
|
|
|
|
|
|
|
These methods include:
|
|
|
|
|
2024-01-22 06:06:00 +03:00
|
|
|
- Kernel.exec
|
|
|
|
- Kernel.spawn
|
2022-02-18 15:46:04 +03:00
|
|
|
- Kernel.system
|
2022-09-03 17:47:46 +03:00
|
|
|
- {\`command` (backtick method)}[rdoc-ref:Kernel#`]
|
2022-02-18 15:46:04 +03:00
|
|
|
(also called by the expression <tt>%x[command]</tt>).
|
2024-01-22 06:06:00 +03:00
|
|
|
- IO.popen (when called with other than <tt>"-"</tt>).
|
|
|
|
|
|
|
|
Some methods execute a system command only if the given path name starts
|
|
|
|
with a <tt>|</tt>:
|
|
|
|
|
|
|
|
- Kernel.open(command).
|
2022-02-18 15:46:04 +03:00
|
|
|
- IO.read(command).
|
|
|
|
- IO.write(command).
|
|
|
|
- IO.binread(command).
|
|
|
|
- IO.binwrite(command).
|
|
|
|
- IO.readlines(command).
|
|
|
|
- IO.foreach(command).
|
2023-06-07 17:05:04 +03:00
|
|
|
- URI.open(command).
|
2022-02-18 15:46:04 +03:00
|
|
|
|
|
|
|
Note that some of these methods do not execute commands when called
|
2024-01-22 06:06:00 +03:00
|
|
|
from subclass +File+:
|
2022-02-18 15:46:04 +03:00
|
|
|
|
|
|
|
- File.read(path).
|
|
|
|
- File.write(path).
|
|
|
|
- File.binread(path).
|
|
|
|
- File.binwrite(path).
|
|
|
|
- File.readlines(path).
|
|
|
|
- File.foreach(path).
|