We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brakeman version: 4.3.0 (pro) Rails version: 3.2.22.8 Ruby version: 2.3.7p456
Full warning from Brakeman:
Confidence: Medium Category: Command Injection Check: Execute Code: system("echo #{f ? ("-n ") : ("")}") File: lib/hello.rb Line: 3
Relevant code:
def safe(f=false) system "echo #{f ? '-n ' : ''}" end
Why might this be a false positive?
There is no user input to the system call. Interestingly, this also causes brakeman to miss this injection, and report only the ternary as a problem:
def unsafe(file, f=false) system "echo #{f ? '-n ' : ''} < #{file}" end
The text was updated successfully, but these errors were encountered:
Hi Joe,
Thank you for reporting this issue and for the clear code examples. This was fixed on master with #1214.
Sorry, something went wrong.
No branches or pull requests
Background
Brakeman version: 4.3.0 (pro)
Rails version: 3.2.22.8
Ruby version: 2.3.7p456
False Positive
Full warning from Brakeman:
Relevant code:
Why might this be a false positive?
There is no user input to the system call. Interestingly, this also causes brakeman to miss this injection, and report only the ternary as a problem:
The text was updated successfully, but these errors were encountered: