Reputation: 9752
What is the proper way to sanitize user input when using a Ruby system call?
I have a Ruby on Rails Application that is using the X virtual framebuffer along with another program to grab images from the web. I have structured my command as shown below: xvfb-run --server-args=-screen 0 1024x768x24 /my/c++/app #{user_provided_url}
What is the best way to make this call in rails with the maximum amount of safety from user input?
Upvotes: 0
Views: 630
Answers (2)
Reputation: 7212
Maybe I'm wrong, but why don't you just make sure that the string given is really an URL (URI::parse), surround it with single quotes and escape any single quote (') character that appears inside?
Upvotes: 0
Reputation: 34350
You probably don't need to sanitize this input in rails. If it's a URL and it's in a string format then it already has properly escaped characters to be passed as a URL to a Net::HTTP call. That said, you could write a regular expression to check that the URL looks valid. You could also do the following to make sure that the URL is parse-able:
uri = URI.parse(user_provided_url)
You can then query the object for it's relevant parts:
uri.path uri.host uri.port
Upvotes: 1
Related Questions
- Best way to go about sanitizing user input in rails
- Forming sanitary shell commands or system calls in Ruby
- Rails sanitizing user input
- Rails 4 Sanitizing User Input
- How to sanitize user input for the gem acts-as-taggable-on, Ruby on Rails
- Rails escaping user input? Proper security practices?
- Sanitizing User Input with Ruby on Rails
- Sanitizing input
- sanitize input for ruby
- How should I sanitize user input before passing it to %x (executing it)?