New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Command injection missed when backticks have operator #1183
Comments
Thanks, fixing that turned up quite a few missed issues. |
Awesome, glad to hear it! Out of curiosity (not trying to nag), what does your RubyGems release cadence look like? (Don't go out of your way to cut a new release just for us; I'm really just wondering how often we should expect new gem versions in the future.) |
Funny you should ask. I was just thinking there should be an April release but probably not going to happen. Maybe sometime next week. BTW, as of today, there have been 106 releases in 2,800 days, so on average a release every 26 days :P |
Great, thanks for the info! |
Background
Brakeman version: 4.2.1
Rails version: 5.1.4
Ruby version: 2.5.1
Issue
Brakeman correctly spots this vulnerability:
But misses it when we change the code to:
It appears to miss all command injection vulnerabilities in backticks that have a method called on them, regardless of what that method is or does.
The text was updated successfully, but these errors were encountered: