command_injection - Documentation for Ruby 4.0 (original) (raw)

Command Injection

Some Ruby core methods accept string data that includes text to be executed as a system command.

They should not be called with unknown or unsanitized commands.

These methods include:

• Kernel.exec
• Kernel.spawn
• Kernel.system
• ‘command` (backtick method) (also called by the expression %x[command]).
• IO.popen (when called with other than "-").

Some methods execute a system command only if the given path name starts with a |:

• Kernel.open(command).
• IO.read(command).
• IO.write(command).
• IO.binread(command).
• IO.binwrite(command).
• IO.readlines(command).
• IO.foreach(command).
• URI.open(command).

Note that some of these methods do not execute commands when called from subclass File:

• File.read(path).
• File.write(path).
• File.binread(path).
• File.binwrite(path).
• File.readlines(path).
• File.foreach(path).