Class: RuboCop::Cop::GitlabSecurity::SystemCommandInjection
- Inherits:
-
Base
- Object
- Base
- RuboCop::Cop::GitlabSecurity::SystemCommandInjection
- Defined in:
- lib/rubocop/cop/gitlab_security/system_command_injection.rb
Overview
Check for use of system(“/bin/ls #:file”)
Passing user input to system() without sanitization and parameterization can result in command injection
Constant Summary collapse
- MSG =
'Do not include variables in the command name for system(). ' \ 'Use parameters "system(cmd, params)" or exec() instead.'
Instance Method Summary collapse
Instance Method Details
#on_send(node) ⇒ Object
29 30 31 32 33 34 |
# File 'lib/rubocop/cop/gitlab_security/system_command_injection.rb', line 29 def on_send(node) return unless node.command?(:system) return unless node.arguments.any? { |e| system_var?(e) } add_offense(node.loc.selector) end |
#system_var?(node) ⇒ Object
25 26 27 |
# File 'lib/rubocop/cop/gitlab_security/system_command_injection.rb', line 25 def_node_matcher :system_var?, <<-PATTERN (dstr (str ...) (begin ...) ...) PATTERN |