Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command injection false positive #1189

Closed
JacobEvelyn opened this Issue May 1, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@JacobEvelyn
Copy link
Contributor

JacobEvelyn commented May 1, 2018

Background

Brakeman version: 4.2.1
Rails version: 5.1.6
Ruby version: 2.5.1

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: system("echo #{Shellwords.escape("#{file_prefix}.txt")}")
File: app/controllers/api/v1/application_controller.rb
Line: 12

Relevant code:

def safe(file_prefix)
  filename = Shellwords.escape("#{file_prefix}.txt")
  system("echo #{filename}")
end

I believe this is a false positive because even if file_prefix contains dangerous user input, it will be escaped before the system call. I might be missing something though.

@presidentbeef

This comment has been minimized.

Copy link
Owner

presidentbeef commented May 6, 2018

This was confusing, because I recently fixed false positives with Shellwords...but the nested interpolation was the problem.

Thank you for reporting!

Repository owner locked and limited conversation to collaborators Jul 14, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.