Reputation: 161
Remove command injection in rails
So I have a helper that uses ImageMagick and a method inside it which enforces zbar on command line to extract QR data from an image. The image source has to be parametric.
qr_code_data = %x(zbarimg -q #{src})
brakeman gives me a command injection warning here, obviously. Using only backticks gives the same warning, and while system would produce the result required, it returns true and not the output. I don't want to use a QR-decoding wrapper/gem, or Open3. I need to know can I sanitise my image source as a parameter to avoid command injection, except by using the two options I have mentioned.
Upvotes: 1
Views: 448
Answers (1)
Reputation: 1511
ImageMagick generally supports using STDIN for input. IO.popen supports replacing stdin of the subprocess with the contents of a file. Try the following:
qr_code_data = ""
IO.popen(['zbarimg','-q','png:-'], :in=>[src]) do |pipe|
qr_code_data = pipe.read
end
Replace png above with your actual image format or remove png: entirely to allow ImageMagick to determine the file type from the input's magic number.
Upvotes: 1
Related Questions
- How can I skip the specific methods from brakeman scanning process + Rails
- How to make Brakeman ignore certain paths
- How to run commands on ruby-on-rails console inside bash shell script?
- Prevent Rake's sh command from echoing the command
- How to deal with the Command Injection in rails app reported by Brakeman
- Rails: shell command in controller
- Rails brakeman warning of sql injection
- ruby exec command injection (protection!)
- Rails Brakeman SQL injection warning when using Arel syntax
- Using Rails commands with a disabled command line