Class: RuboCop::Cop::GitlabSecurity::SystemCommandInjection

Inherits:

Cop

Object
Cop
RuboCop::Cop::GitlabSecurity::SystemCommandInjection

show all

Defined in:: lib/rubocop/cop/gitlab-security/system_command_injection.rb

Overview

Check for use of system(“/bin/ls #:file”)

Passing user input to system() without sanitization and parameterization can result in command injection

Examples:


# bad
system("/bin/ls #{filename}")

# good (parameters)
system("/bin/ls", filename)
# even better
exec("/bin/ls", shell_escape(filename))

Constant Summary collapse

MSG =

'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.
If this warning is in error you can white-list the line with `#rubocop:disable GitLabSecurity/SystemCommandInjection`'.freeze

Instance Method Summary collapse

#on_send(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ `Object`

# File 'lib/rubocop/cop/gitlab-security/system_command_injection.rb', line 26

def on_send(node)
  return unless node.command?(:system)
  return unless node.arguments.any? { |e| system_var?(e) }

  add_offense(node, location: :selector)
end

Class: RuboCop::Cop::GitlabSecurity::SystemCommandInjection

Overview

Examples:

Constant Summary collapse

Instance Method Summary collapse

Instance Method Details

#on_send(node) ⇒ Object

#on_send(node) ⇒ `Object`