Ruby Command Injection Concat String
Description
Detects potential command injection vulnerabilities in Ruby code using Open3 module methods. The vulnerability occurs when user-controlled input can be injected into shell commands executed through Open3 methods like capture2, popen3, etc., potentially allowing attackers to execute arbitrary system commands.
Detection Strategy
• Look for method calls to Open3 module (e.g., Open3.capture2, Open3.popen3)
• Check if the command argument to these methods contains dynamic string concatenation or interpolation
• Verify the command string includes potentially dangerous user-controlled data
• Report a vulnerability if the command argument can be influenced by external input
Vulnerable code example
require 'sinatra'
require 'open3'
get '/vulnerable/command' do
# SOURCE: User input from query parameter
user_input = params[:cmd]
# VULNERABILITY: Direct interpolation of user input into command...✅ Secure code example
require 'sinatra'
require 'open3'
get '/vulnerable/command' do
# SOURCE: User input from query parameter
user_input = params[:cmd]
# SECURE: Command and arguments passed separately to prevent command injection...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.