Prevent path injection

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Metadata

ID: ruby-security/path-injection

Language: Ruby

Severity: Error

Category: Security

CWE: 22

Description

This rule detects potential path injection vulnerabilities where user-controlled input is used directly in file system paths or command executions. Path injection can allow attackers to manipulate file paths, leading to unauthorized file access, data leakage, or arbitrary command execution.

It is important to prevent path injection to maintain the integrity and security of your application and the underlying system. Without proper validation or sanitization, attackers might craft input that traverses directories, accesses sensitive files, or executes malicious commands.

To avoid path injection, always validate and sanitize user inputs before incorporating them into file paths or system commands. Use safe methods to construct paths, such as whitelisting allowed filenames or directories, and avoid directly interpolating user input into system calls. For example, instead of File.open("/tmp/#{params[:file]}"), sanitize the filename first: filename = sanitize(params[:file]) followed by File.open("/safe/path/#{filename}").

Non-Compliant Code Examples

File.open(params[:file])

filename = params[:file]
File.open(filename)

File.open("/tmp/#{params[:file]}")
system("ls #{params[:dir]}")

Compliant Code Examples

File.open("/safe/path/#{sanitize(filename)}")
File.open("/safe/path/params")
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security