diff options
author | Burdette Lamar <BurdetteLamar@Yahoo.com> | 2022-02-18 06:46:04 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-18 06:46:04 -0600 |
commit | e9a2b30744a62268c66d6c17730ed96486d9783c (patch) | |
tree | fb36036ef21bdfc71104a527766a692f8a834b65 /doc/command_injection.rdoc | |
parent | 542a38f619bea9fa7aa5a6be1449fc5f9b4d01e9 (diff) |
Enhanced RDoc concerning command injection (#5537)
Clarifies security vulnerabilities for commands.
Treats:
Kernel.system
Kernel.` (backtick)
IO.popen
IO.read
IO.write
IO.binread
IO.binwrite
IO.readlines
IO.foreach
Notes
Notes:
Merged-By: BurdetteLamar <BurdetteLamar@Yahoo.com>
Diffstat (limited to 'doc/command_injection.rdoc')
-rw-r--r-- | doc/command_injection.rdoc | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/command_injection.rdoc b/doc/command_injection.rdoc new file mode 100644 index 0000000000..8f1303bcf7 --- /dev/null +++ b/doc/command_injection.rdoc @@ -0,0 +1,29 @@ +== Command Injection + +Some Ruby core methods accept string data +that includes text to be executed as a system command. + +They should not be called with unknown or unsanitized commands. + +These methods include: + +- Kernel.system +- {`command` (backtick method)}[rdoc-ref:Kernel#`] + (also called by the expression <tt>%x[command]</tt>). +- IO.popen(command). +- IO.read(command). +- IO.write(command). +- IO.binread(command). +- IO.binwrite(command). +- IO.readlines(command). +- IO.foreach(command). + +Note that some of these methods do not execute commands when called +from subclass \File: + +- File.read(path). +- File.write(path). +- File.binread(path). +- File.binwrite(path). +- File.readlines(path). +- File.foreach(path). |