malei0311
Reputation: 201
Avoid executing system command with Ruby secure open
In terminal, typing:
> irb
> require('open-uri')
> open("| curl http://www.haosou.com").read
can execute a system command. How can I avoid this?
Upvotes: 1
Views: 66
Answers (1)
PJ Bergeron
Reputation: 2998
Executing this kind of command is a serious security issue.
You can use a regex to validate the format:
/^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/ix
The validation can be done in a model:
validates_format_of :url, :with => /^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/ix
Or elsewhere:
if url =~ /^(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/ix
require('open-uri')
open(url).read
end
Upvotes: 1
Related Questions
- hiding system command results in ruby
- Forming sanitary shell commands or system calls in Ruby
- Suppressing the output of a command run using 'system' method while running it in a ruby script
- rails how to run system command from rails command securely
- Ruby Project - Prevent a ruby file from directly being called from OS command line
- How to execute and capture stdout of external command in Ruby using system() without shell escaping?
- How to block ruby exec commands
- Executing System Commands with Rails
- Using Rails commands with a disabled command line
- How to untaint execution of system command