Enhanced RDoc concerning command injection (#5537)

Clarifies security vulnerabilities for commands. Treats: Kernel.system Kernel.` (backtick) IO.popen IO.read IO.write IO.binread IO.binwrite IO.readlines IO.foreach
author: Burdette Lamar <BurdetteLamar@Yahoo.com> 2022-02-18 06:46:04 -0600
committer: GitHub <noreply@github.com> 2022-02-18 06:46:04 -0600
commit: e9a2b30744a62268c66d6c17730ed96486d9783c (patch)
tree: fb36036ef21bdfc71104a527766a692f8a834b65 /doc
parent: 542a38f619bea9fa7aa5a6be1449fc5f9b4d01e9 (diff)
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/command_injection.rdoc b/doc/command_injection.rdoc
new file mode 100644
index 0000000000..8f1303bcf7
--- /dev/null
+++ b/doc/command_injection.rdoc
@@ -0,0 +1,29 @@
+== Command Injection
+
+Some Ruby core methods accept string data
+that includes text to be executed as a system command.
+
+They should not be called with unknown or unsanitized commands.
+
+These methods include:
+
+- Kernel.system
+- {`command` (backtick method)}[rdoc-ref:Kernel#`]
+  (also called by the expression <tt>%x[command]</tt>).
+- IO.popen(command).
+- IO.read(command).
+- IO.write(command).
+- IO.binread(command).
+- IO.binwrite(command).
+- IO.readlines(command).
+- IO.foreach(command).
+
+Note that some of these methods do not execute commands when called
+from subclass \File:
+
+- File.read(path).
+- File.write(path).
+- File.binread(path).
+- File.binwrite(path).
+- File.readlines(path).
+- File.foreach(path).
author	Burdette Lamar <BurdetteLamar@Yahoo.com>	2022-02-18 06:46:04 -0600
committer	GitHub <noreply@github.com>	2022-02-18 06:46:04 -0600
commit	e9a2b30744a62268c66d6c17730ed96486d9783c (patch)
tree	fb36036ef21bdfc71104a527766a692f8a834b65 /doc
parent	542a38f619bea9fa7aa5a6be1449fc5f9b4d01e9 (diff)