Class: Scanny::Checks::ShellExpandingMethodsCheck

Inherits:

Check

• Object
• Check
• Scanny::Checks::ShellExpandingMethodsCheck

Defined in:

lib/scanny/checks/shell_expanding_methods_check.rb

Overview

Checks for methods executing external commands that pass the command through shell expansion. This can cause unwanted code execution if the command includes unescaped input.

Instance Method Summary

• #check(node) ⇒ Object
• #pattern ⇒ Object
• #pattern_execute_string ⇒ Object

  ‘system_command`.

• #pattern_popen ⇒ Object

  IO.popen IO.popen3.

• #pattern_shell_expanding ⇒ Object

  system(“rm -rf /”).

• #warning_message(node = nil) ⇒ Object

Methods inherited from Check

#compiled_pattern, #issue, #strict?, #visit

Instance Method Details

#check(node) ⇒ Object

# File 'lib/scanny/checks/shell_expanding_methods_check.rb', line 15

def check(node)
  # The command goes through shell expansion only if it is passed as one
  # argument.
  issue :high, warning_message(node), :cwe => [88, 78]
end

#pattern ⇒ Object

# File 'lib/scanny/checks/shell_expanding_methods_check.rb', line 7

def pattern
  [
    pattern_shell_expanding,
    pattern_popen,
    pattern_execute_string
  ].join("|")
end

#pattern_execute_string ⇒ Object

‘system_command`

# File 'lib/scanny/checks/shell_expanding_methods_check.rb', line 49

def pattern_execute_string
  "ExecuteString"
end

#pattern_popen ⇒ Object

IO.popen IO.popen3

# File 'lib/scanny/checks/shell_expanding_methods_check.rb', line 39

def pattern_popen
  <<-EOT
    SendWithArguments<
      name ^= :popen,
      arguments = ActualArguments<array = [any]>
    >
  EOT
end

#pattern_shell_expanding ⇒ Object

system(“rm -rf /”)

# File 'lib/scanny/checks/shell_expanding_methods_check.rb', line 27

def pattern_shell_expanding
  <<-EOT
    SendWithArguments<
      receiver  = Self | ConstantAccess<name = :Kernel>,
      name      = :` | :exec | :system | :spawn,
      arguments = ActualArguments<array = [any]>
    >
  EOT
end

#warning_message(node = nil) ⇒ Object

# File 'lib/scanny/checks/shell_expanding_methods_check.rb', line 21

def warning_message(node = nil)
  name = node.respond_to?(:name) ? node.name : "`"
  "The \"#{name}\" method passes the executed command through shell expansion."
end