Sha256: 15dc55cbd2c6d273c7682787b3332b160415b6f9015e8d4ac6494174b0e57c7f
Contents?: true
Size: 1.06 KB
Versions: 2
Compression:
Stored size: 1.06 KB
Contents
# frozen_string_literal: true
module RuboCop
module Cop
module GitlabSecurity
# Check for use of system("/bin/ls #{params[:file]}")
#
# Passing user input to system() without sanitization and parameterization can result in command injection
#
# @example
#
# # bad
# system("/bin/ls #{filename}")
#
# # good (parameters)
# system("/bin/ls", filename)
# # even better
# exec("/bin/ls", shell_escape(filename))
#
class SystemCommandInjection < RuboCop::Cop::Base
MSG = 'Do not include variables in the command name for system(). ' \
'Use parameters "system(cmd, params)" or exec() instead.'
# @!method system_var?(node)
def_node_matcher :system_var?, <<-PATTERN
(dstr (str ...) (begin ...) ...)
PATTERN
def on_send(node)
return unless node.command?(:system)
return unless node.arguments.any? { |e| system_var?(e) }
add_offense(node.loc.selector)
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| gitlab-styles-13.0.1 | lib/rubocop/cop/gitlab_security/system_command_injection.rb |
| gitlab-styles-13.0.0 | lib/rubocop/cop/gitlab_security/system_command_injection.rb |