Comments on: Some Security Concerns While Programming In Ruby

By: Henryk Gerlach

Henryk Gerlach — Sun, 17 Aug 2008 18:53:55 +0000

What other vulnerabilities in Ruby (not Rails) can you think of? Iâ€™d definitely like to hear and add them here.
Well, constantize is more dangerous, than it looks like see
http://blog.littleimpact.de/index.php/2008/08/13/constantize-with-care/

This is nothing new (cf. http://wiki.rubyonrails.org/rails/pages/SingleTableInheritance) but I show how to exploit it in conjunction another security hole.

By: Henryk Gerlach

Henryk Gerlach — Tue, 12 Aug 2008 14:00:54 +0000

> In general, there are no safe way to use system.
I don’t know, how you came to this conclusion.

There are 2 ways to call system (http://www.ruby-doc.org/core/classes/Kernel.html#M005982):

a) with a single string
system(“echo $(seq 5)”)
that’s prone to shell injection, unless the string is properly escaped (see e.g. http://www.a-k-r.org/escape/)

b) with a command-string and each argument as an additional string:
system(“echo”, “$(seq 5)”)

This is save against shell injection. (as save as the called command/shell script).

By: Greg

Greg — Tue, 10 Jun 2008 13:24:45 +0000

From what I can tell there are four vectors for command-injection in Ruby. They all require the same treatment (generally avoidance when untrusted input is involved) but you should be wary of:

Kernel.system
Kernel.exec
%x[]
` (The back-tick operator)

By: links for 2008-04-30 « Amy G. Dala

links for 2008-04-30 « Amy G. Dala — Wed, 30 Apr 2008 14:32:54 +0000

[...] RubyLearning.com Blog (tags: ruby programming security) [...]

By: links for 2008-04-29 | Libin Pan

links for 2008-04-29 | Libin Pan — Tue, 29 Apr 2008 06:32:51 +0000

[...] RubyLearning.com Blog Some Security Concerns While Programming In Ruby (tags: programming rails ruby security) [...]