Reputation: 2076
ruby exec command injection (protection!)
I am running the brakeman gem over a project.. it's complaining about some exec commands that are being run.
Current code:
Process.fork {exec "pdftk #{uncrypted_pdf_file} output #{pdf_file} owner_pw #{password} allow printing"}
Brakeman complains suggesting there's a possibility for command injection. I have tried a few different combinations of calling exec for example:
Process.fork {exec "pdftk", uncrypted_pdf_file, " output #{pdf_file} ", "owner_pw #{password}", "allow printing"}
But as you'd expect, each argument just gets passed to pdftk in turn and so it falls over.
Is there a way to call a command in one shot and also protect against command injection. In our specific case it's safe enough anyway as we control all the variables, but it'd be good to know the right way.
Upvotes: 0
Views: 616
Answers (1)
Reputation: 655219
You need to pass each argument separately:
exec "pdftk", uncrypted_pdf_file, "output", pdf_file, "owner_pw", password, "allow", "printing"
You may need to provide the full path to pdftk as well.
Upvotes: 2
Related Questions
- Getting the ruby exec syntax right
- Run command and capture output in Ruby, without risking command injection
- rails how to run system command from rails command securely
- Remove command injection in rails
- How to deal with the Command Injection in rails app reported by Brakeman
- Avoid executing system command with Ruby secure open
- Rails brakeman warning of sql injection
- `exec` kills script
- How to block ruby exec commands
- How to untaint execution of system command