Class: RuboCop::Cop::EightyFourCodes::CommandLiteralInjection

Inherits:

Base

• Object
• Base
• RuboCop::Cop::EightyFourCodes::CommandLiteralInjection

Defined in:

lib/rubocop/cop/eighty_four_codes/command_literal_injection.rb

Overview

Check for use of ‘/bin/ls #:file` and %x(/bin/ls #:file)

Passing user input to “ and %x without sanitization and parameterization can result in command injection

Examples:

# bad
%x(/bin/ls #{filename})

# good (parameters)
system("/bin/ls", filename)
# even better
exec("/bin/ls", shell_escape(filename))

Constant Summary

MSG =

'Do not include variables command literals. Use parameters "system(cmd, params)" or exec() instead'

Instance Method Summary

• #check_for_interpolation(node) ⇒ Object
• #on_xstr(node) ⇒ Object

Instance Method Details

#check_for_interpolation(node) ⇒ Object

# File 'lib/rubocop/cop/eighty_four_codes/command_literal_injection.rb', line 31

def check_for_interpolation(node)
  return if node.children.none? { |n| literal_var?(n) }

  add_offense(node)
end

#on_xstr(node) ⇒ Object

# File 'lib/rubocop/cop/eighty_four_codes/command_literal_injection.rb', line 27

def on_xstr(node)
  check_for_interpolation(node)
end