Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Safely execute shell commands and get their output.

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 spec
Octocat-spinner-32 tmp
Octocat-spinner-32 .document
Octocat-spinner-32 .gitignore
Octocat-spinner-32 Gemfile
Octocat-spinner-32 Gemfile.lock
Octocat-spinner-32 LICENSE
Octocat-spinner-32 README.rdoc
Octocat-spinner-32 Rakefile
Octocat-spinner-32 safe_shell.gemspec
README.rdoc

SafeShell

SafeShell lets you execute shell commands and get the resulting output, but without the security problems of Ruby's backtick operator.

Usage

gem install safe_shell

require 'safe_shell'
SafeShell.execute("echo", "Hello, world!")

SafeShell sets the $? operator to the process status, in the same manner as the backtick operator.

# Send stdout and stderr to files:
SafeShell.execute("echo", "Hello, world!", :stdout => "output.txt", :stderr => "error.txt")

# Return true if the command exits with a zero status:
SafeShell.execute?("echo", "Hello, world!")

# Raise an exception if the command exits with a non-zero status:
SafeShell.execute!("echo", "Hello, world!")

Why?

If you use backticks to process a file supplied by a user, a carefully crafted filename could allow execution of an arbitrary command:

file = ";blah"
`echo #{file}`
sh: blah: command not found
=> "\n"

SafeShell solves this.

SafeShell.execute("echo", file)
=> ";blah\n"

Compatibility

Tested with Ruby 1.8.7, but it should be happy on pretty much any Ruby version. Maybe not so much on Windows.

Developing

  • Fork the project.

  • Make your feature addition or bug fix.

  • Add tests for it. This is important so I don't break it in a future version unintentionally.

  • Commit, do not mess with rakefile, version, or history. (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)

  • Send me a pull request. Bonus points for topic branches.

Status

In use on at least one big site, so should be pretty solid. There's not much to it, so I'm not expecting there'll be many releases.

Copyright

Copyright © 2010 Envato, Ian Leitch, & Pete Yandell. See LICENSE for details.

Something went wrong with that request. Please try again.