Ruby Dangerous Io Copy Stream
Description
Detects potentially dangerous usage of Ruby's IO.copy_stream method which could allow copying data from untrusted sources to arbitrary destinations. This can lead to unauthorized file operations or path traversal vulnerabilities if input parameters are not properly validated.
Detection Strategy
• Identifies calls to copy_stream method in Ruby code
• Examines the arguments passed to copy_stream to check for potentially dangerous patterns
• Reports a vulnerability when copy_stream is called with parameters that could be manipulated by untrusted input
• Verifies the presence and structure of the argument list in the method call
Vulnerable code example
class FileUploader
def save_upload(params)
file = params[:file]
# Vulnerable: Uses unvalidated user input (filename) to determine upload path
target_path = "/var/www/uploads/" + file.original_filename
# Vulnerable: Blindly copies file without checking type/content
FileUtils.copy(file.tempfile.path, target_path)...✅ Secure code example
class FileUploader
ALLOWED_CONTENT_TYPES = ['image/jpeg', 'image/png', 'image/gif'].freeze
UPLOAD_DIR = File.join(Rails.root, 'storage', 'uploads') # Store outside webroot
MAX_SIZE = 10.megabytes
def save_upload(params)
file = params[:file]
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.