New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command injection false positive in enumeration #1224

Closed
bannable opened this Issue Jun 1, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@bannable

bannable commented Jun 1, 2018

Background

Brakeman version: 4.3.0
Rails version: 3.2.22.8
Ruby version: 2.3.7p456

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: Command Injection
Check: Execute
Code: `echo #{table}`

Relevant code:

  def safe
    tables = %w(one two)
    tables.each { |table| `echo #{table}` }
  end
@presidentbeef

This comment has been minimized.

Owner

presidentbeef commented Jun 5, 2018

Fixed by #1227 (and actually a duplicate of #1208).

Repository owner locked and limited conversation to collaborators Jul 14, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.