Class: RuboCop::Cop::GitlabSecurity::SystemCommandInjection

Inherits:
Base
  • Object
show all
Defined in:
lib/rubocop/cop/gitlab_security/system_command_injection.rb

Overview

Check for use of system(“/bin/ls #:file”)

Passing user input to system() without sanitization and parameterization can result in command injection

Examples:


# bad
system("/bin/ls #{filename}")

# good (parameters)
system("/bin/ls", filename)
# even better
exec("/bin/ls", shell_escape(filename))

Constant Summary collapse

MSG =
'Do not include variables in the command name for system(). ' \
'Use parameters "system(cmd, params)" or exec() instead.'

Instance Method Summary collapse

Instance Method Details

#on_send(node) ⇒ Object



29
30
31
32
33
34
# File 'lib/rubocop/cop/gitlab_security/system_command_injection.rb', line 29

def on_send(node)
  return unless node.command?(:system)
  return unless node.arguments.any? { |e| system_var?(e) }

  add_offense(node.loc.selector)
end

#system_var?(node) ⇒ Object



25
26
27
# File 'lib/rubocop/cop/gitlab_security/system_command_injection.rb', line 25

def_node_matcher :system_var?, <<-PATTERN
  (dstr (str ...) (begin ...) ...)
PATTERN