- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: ruby-security/shell-injection
Language: Ruby
Severity: Warning
Category: Security
CWE: 94
This rule checks for potential shell injection vulnerabilities in your Ruby code. Shell injection is a serious security risk, as it allows an attacker to execute arbitrary commands on your system, potentially leading to data theft, corruption, or other malicious actions. When user input is used to form shell commands, it is essential to ensure that it cannot be manipulated to alter the intended command execution.
The importance of this rule cannot be overstated. Preventing shell injection attacks is a critical aspect of maintaining the security and integrity of your application and its data. Shell injections can lead to severe consequences, including unauthorized access, data breaches, and system compromise.
To avoid shell injection vulnerabilities, always use the array form of system commands in Ruby, such as system("echo", "Hello, World!")
instead of system("echo Hello, World!")
. The array form ensures that the arguments are passed directly to the command and not interpreted by the shell. Also, avoid using user input directly in shell commands. If it’s unavoidable, make sure to sanitize the input thoroughly before using it. Use libraries such as Shellwords.escape
to escape any potentially dangerous characters in the user input.
Process.exec([binary, argument], "somethingelse")
system(my_command)
Process.spawn([command, argument])
exec(my_command)
spawn([command, argument])
Open3.capture2(command, :stdin_data=>"42")
Open3.capture2e(command)
Open3.capture3(command)
Open3.pipeline(cmd1, cmd2)
Process.exec(command, File.basename(__FILE__), *ARGV)
return system "xdg-open", address if Utils::Platforms.linux?
Process.exec('osctl', File.basename(__FILE__), *ARGV)
system("ls /home")
Process.spawn(["ls", "/home"])
exec("ls /home")
spawn(["ls", "/home"])
Open3.capture2("ls /home", :stdin_data=>"42")
Open3.capture2e("ls /home")
Open3.capture3("ls /home")
Open3.pipeline("ls", "cat")
Process.exec("ls /home", File.basename(__FILE__), *ARGV)