GitlabSecurity-SystemCommandInjection.md

Pattern: Use of system("/bin/ls #{params[:file]}")

Issue: -

Description

Check for use of system("/bin/ls #{params[:file]}"). Passing user input to system() without sanitization and parameterization can result in command injection.

Examples

# bad
system("/bin/ls #{filename}")

# good (parameters)
system("/bin/ls", filename)
# even better
exec("/bin/ls", shell_escape(filename))

Further Reading

• RuboCop - Airbnb/SystemCommandInjection