Some Ruby core methods accept string data that includes text to be executed as a system command.
They should not be called with unknown or unsanitized commands.
These methods include:
-
Kernel.exec
-
Kernel.spawn
-
Kernel.system
-
`command` (backtick method) (also called by the expression
%x[command]). -
IO.popen (when called with other than
"-").
Some methods execute a system command only if the given path name starts with a |:
-
Kernel.open(command).
-
IO.read(command).
-
IO.write(command).
-
IO.binread(command).
-
IO.binwrite(command).
-
IO.readlines(command).
-
IO.foreach(command).
-
URI.open(command).
Note that some of these methods do not execute commands when called from subclass File:
-
File.read(path).
-
File.write(path).
-
File.binread(path).
-
File.binwrite(path).
-
File.readlines(path).
-
File.foreach(path).