Command injection missed when backticks have operator #1183
Comments
presidentbeef
added a commit
that referenced
this issue
Apr 25, 2018
presidentbeef
added a commit
that referenced
this issue
Apr 25, 2018
|
Thanks, fixing that turned up quite a few missed issues. |
|
Awesome, glad to hear it! Out of curiosity (not trying to nag), what does your RubyGems release cadence look like? (Don't go out of your way to cut a new release just for us; I'm really just wondering how often we should expect new gem versions in the future.) |
|
Funny you should ask. I was just thinking there should be an April release but probably not going to happen. Maybe sometime next week. BTW, as of today, there have been 106 releases in 2,800 days, so on average a release every 26 days :P |
|
Great, thanks for the info! |
Repository owner
locked and limited conversation to collaborators
Jul 14, 2018
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Background
Brakeman version: 4.2.1
Rails version: 5.1.4
Ruby version: 2.5.1
Issue
Brakeman correctly spots this vulnerability:
But misses it when we change the code to:
It appears to miss all command injection vulnerabilities in backticks that have a method called on them, regardless of what that method is or does.
The text was updated successfully, but these errors were encountered: