Class: RuboCop::Cop::GitlabSecurity::SystemCommandInjection

Inherits:

Base

• Object
• Base
• RuboCop::Cop::GitlabSecurity::SystemCommandInjection

Defined in:

lib/rubocop/cop/gitlab_security/system_command_injection.rb

Overview

Check for use of system(“/bin/ls #:file”)

Passing user input to system() without sanitization and parameterization can result in command injection

Examples:

# bad
system("/bin/ls #{filename}")

# good (parameters)
system("/bin/ls", filename)
# even better
exec("/bin/ls", shell_escape(filename))

Constant Summary

MSG =

'Do not include variables in the command name for system(). ' \
'Use parameters "system(cmd, params)" or exec() instead.'

Instance Method Summary

• #on_send(node) ⇒ Object
• #system_var?(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/system_command_injection.rb', line 29

def on_send(node)
  return unless node.command?(:system)
  return unless node.arguments.any? { |e| system_var?(e) }

  add_offense(node.loc.selector)
end

#system_var?(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/system_command_injection.rb', line 25

def_node_matcher :system_var?, <<-PATTERN
  (dstr (str ...) (begin ...) ...)
PATTERN