Command injection false positive #1189

JacobEvelyn · 2018-05-01T17:55:57Z

Background

Brakeman version: 4.2.1
Rails version: 5.1.6
Ruby version: 2.5.1

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: system("echo #{Shellwords.escape("#{file_prefix}.txt")}")
File: app/controllers/api/v1/application_controller.rb
Line: 12

Relevant code:

def safe(file_prefix)
  filename = Shellwords.escape("#{file_prefix}.txt")
  system("echo #{filename}")
end

I believe this is a false positive because even if file_prefix contains dangerous user input, it will be escaped before the system call. I might be missing something though.

The text was updated successfully, but these errors were encountered:

happens to fix #1189

presidentbeef · 2018-05-06T00:08:54Z

This was confusing, because I recently fixed false positives with Shellwords...but the nested interpolation was the problem.

Thank you for reporting!

presidentbeef added a commit that referenced this issue May 5, 2018

include_interp? should return first string interp

74444a4

happens to fix #1189

presidentbeef mentioned this issue May 6, 2018

BaseCheck#include_interp? should return first string interp #1195

Merged

presidentbeef closed this as completed in #1195 May 8, 2018

dependencies bot mentioned this issue May 14, 2018

Update brakeman in / from 4.2.1 to 4.3.0 severest/question-cove#41

Merged

Repository owner locked and limited conversation to collaborators Jul 14, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Command injection false positive #1189

Command injection false positive #1189

JacobEvelyn commented May 1, 2018

presidentbeef commented May 6, 2018

Command injection false positive #1189

Command injection false positive #1189

Comments

JacobEvelyn commented May 1, 2018

Background

False Positive

presidentbeef commented May 6, 2018