Class | Brakeman::CheckExecute |
In: |
lib/brakeman/checks/check_execute.rb
|
Parent: | Brakeman::BaseCheck |
Checks for string interpolation and parameters in calls to Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
Examples of command injection vulnerabilities:
system("rf -rf #{params[:file]}") exec(params[:command]) `unlink #{params[:something}`
SAFE_VALUES | = | [s(:const, :RAILS_ROOT), s(:call, s(:const, :Rails), :root), s(:call, s(:const, :Rails), :env), s(:call, s(:const, :Process), :pid)] |
SHELL_ESCAPE_MODULE_METHODS | = | Set[:escape, :join, :shellescape, :shelljoin] |
SHELL_ESCAPE_MIXIN_METHODS | = | Set[:shellescape, :shelljoin] |
SHELLWORDS | = | s(:const, :Shellwords) |