Prevent path injection

This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

ID: ruby-security/path-injection

Language: Ruby

Severity: Error

Category: Security

CWE: 22

Description

This rule detects potential path injection vulnerabilities where user-controlled input is used directly in file system paths or command executions. Path injection can allow attackers to manipulate file paths, leading to unauthorized file access, data leakage, or arbitrary command execution.

It is important to prevent path injection to maintain the integrity and security of your application and the underlying system. Without proper validation or sanitization, attackers might craft input that traverses directories, accesses sensitive files, or executes malicious commands.

To avoid path injection, always validate and sanitize user inputs before incorporating them into file paths or system commands. Use safe methods to construct paths, such as whitelisting allowed filenames or directories, and avoid directly interpolating user input into system calls. For example, instead of File.open("/tmp/#{params[:file]}"), sanitize the filename first: filename = sanitize(params[:file]) followed by File.open("/safe/path/#{filename}").

Non-Compliant Code Examples

File.open(params[:file])

filename = params[:file]
File.open(filename)

File.open("/tmp/#{params[:file]}")
system("ls #{params[:dir]}")

Compliant Code Examples

File.open("/safe/path/#{sanitize(filename)}")
File.open("/safe/path/params")
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security