Class: Brakeman::CheckExecute

Inherits:
BaseCheck
  • Object
show all
Defined in:
lib/brakeman/checks/check_execute.rb

Overview

Checks for string interpolation and parameters in calls to Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.

Examples of command injection vulnerabilities:

system("rf -rf #params[:file]") exec(params) unlink #{params[:something}

Constant Summary collapse

SAFE_VALUES = 
[s(:const, :RAILS_ROOT),
s(:call, s(:const, :Rails), :root),
s(:call, s(:const, :Rails), :env),
s(:call, s(:const, :Process), :pid)]
SHELL_ESCAPE_MODULE_METHODS = 

      
        
SHELL_ESCAPE_MIXIN_METHODS =
          
        

        

      
        
KNOWN_SHELL_COMMANDS =
          

  

    
These are common shells that are known to allow the execution of commands
via a -c flag. See dash_c_shell_command? for more info.


  





  



        

        

      
        
SHELLWORDS =
          
        

        
s(:const, :Shellwords)

      
    

  







  
    

      Instance Method Summary
      collapse
    


    
    
  


  

  

    
Instance Method Details


    
      

  

  
    #run_checkObject 
  

  

  




  

    
Check models, controllers, and views for command injection.


  





  



  

    
      


31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

    		
    
      
# File 'lib/brakeman/checks/check_execute.rb', line 31

def run_check
  Brakeman.debug "Finding system calls using ``"
  check_for_backticks tracker

  check_open_calls

  Brakeman.debug "Finding other system calls"
  calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, :'POSIX::Spawn', :Process, nil],
    :methods => [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
      :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
      :popen3, :spawn, :syscall, :system], :nested => true

  Brakeman.debug "Processing system calls"
  calls.each do |result|
    process_result result
  end
end