kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

Enhanced RDoc concerning command injection (#5537)

Browse source 
Clarifies security vulnerabilities for commands.

Treats:

    Kernel.system
    Kernel.` (backtick)
    IO.popen
    IO.read
    IO.write
    IO.binread
    IO.binwrite
    IO.readlines
    IO.foreach
This commit is contained in:
Burdette Lamar 2022-02-18 06:46:04 -06:00 committed by GitHub
parent 542a38f619
commit e9a2b30744
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
Notes: git 2022-02-18 21:46:25 +09:00 
Merged-By: BurdetteLamar <BurdetteLamar@Yahoo.com>
4 changed files with 79 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

29
doc/command_injection.rdoc Normal file
View file

@ -0,0 +1,29 @@
== Command Injection
Some Ruby core methods accept string data
that includes text to be executed as a system command.
They should not be called with unknown or unsanitized commands.
These methods include:
- Kernel.system
- {`command` (backtick method)}[rdoc-ref:Kernel#`]
(also called by the expression <tt>%x[command]</tt>).
- IO.popen(command).
- IO.read(command).
- IO.write(command).
- IO.binread(command).
- IO.binwrite(command).
- IO.readlines(command).
- IO.foreach(command).
Note that some of these methods do not execute commands when called
from subclass \File:
- File.read(path).
- File.write(path).
- File.binread(path).
- File.binwrite(path).
- File.readlines(path).
- File.foreach(path).