Class/Module Index [+]

Quicksearch

Brakeman::CheckExecute

Checks for string interpolation and parameters in calls to Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.

Examples of command injection vulnerabilities:

system("rf -rf #{params[:file]}")
exec(params[:command])
`unlink #{params[:something}`

Public Instance Methods

check_for_backticks(tracker) click to toggle source

Looks for calls using backticks such as

`rm -rf #{params[:file]}`
# File lib/brakeman/checks/check_execute.rb, line 64
def check_for_backticks tracker
  tracker.find_call(:target => nil, :method => :`).each do |result|
    process_backticks result
  end
end
process_backticks(result) click to toggle source

Processes backticks.

# File lib/brakeman/checks/check_execute.rb, line 71
def process_backticks result
  return if duplicate? result

  add_result result

  exp = result[:call]

  if input = include_user_input?(exp)
    confidence = CONFIDENCE[:high]
    user_input = input.match
  else
    confidence = CONFIDENCE[:med]
    user_input = nil
  end

  warning = { :warning_type => "Command Injection",
    :message => "Possible command injection",
    :code => exp,
    :user_input => user_input,
    :confidence => confidence }

  if result[:location][0] == :template
    warning[:template] = result[:location][1]
  else
    warning[:class] = result[:location][1]
    warning[:method] = result[:location][2]
  end

  warn warning
end
process_result(result) click to toggle source

Processes results from Tracker#find_call.

# File lib/brakeman/checks/check_execute.rb, line 31
def process_result result
  call = result[:call]
  args = call.arglist
  first_arg = call.first_arg

  case call.method
  when :system, :exec
    failure = include_user_input?(first_arg) || include_interp?(first_arg)
  else
    failure = include_user_input?(args) || include_interp?(args)
  end

  if failure and not duplicate? result
    add_result result

    if failure.type == :interp #Not from user input
      confidence = CONFIDENCE[:med]
    else
      confidence = CONFIDENCE[:high]
    end

    warn :result => result,
      :warning_type => "Command Injection", 
      :message => "Possible command injection",
      :code => call,
      :user_input => failure.match,
      :confidence => confidence
  end
end
run_check() click to toggle source

Check models, controllers, and views for command injection.

# File lib/brakeman/checks/check_execute.rb, line 17
def run_check
  Brakeman.debug "Finding system calls using ``"
  check_for_backticks tracker

  Brakeman.debug "Finding other system calls"
  calls = tracker.find_call :targets => [:IO, :Open3, :Kernel, nil], :methods => [:exec, :popen, :popen3, :syscall, :system]

  Brakeman.debug "Processing system calls"
  calls.each do |result|
    process_result result
  end
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.