Sha256: 3b4fd9ef5e347b5446c360368bbc65ccf7c3710c9b733c26470c77cd2c24ee59

Contents?: true

Size: 1.06 KB

Versions: 3

Compression:

Stored size: 1.06 KB

Contents

# frozen_string_literal: true

module RuboCop
  module Cop
    module GitlabSecurity
      # Check for use of system("/bin/ls #{params[:file]}")
      #
      # Passing user input to system() without sanitization and parameterization can result in command injection
      #
      # @example
      #
      #   # bad
      #   system("/bin/ls #{filename}")
      #
      #   # good (parameters)
      #   system("/bin/ls", filename)
      #   # even better
      #   exec("/bin/ls", shell_escape(filename))
      #
      class SystemCommandInjection < RuboCop::Cop::Base
        MSG = 'Do not include variables in the command name for system(). ' \
              'Use parameters "system(cmd, params)" or exec() instead.'

        # @!method system_var?(node)
        def_node_matcher :system_var?, <<-PATTERN
          (dstr (str ...) (begin ...) ...)
        PATTERN

        def on_send(node)
          return unless node.command?(:system)
          return unless node.arguments.any? { |e| system_var?(e) }

          add_offense(node.loc.selector)
        end
      end
    end
  end
end

Version data entries

3 entries across 3 versions & 1 rubygems

Version Path
gitlab-styles-11.0.0 lib/rubocop/cop/gitlab_security/system_command_injection.rb
gitlab-styles-10.1.0 lib/rubocop/cop/gitlab_security/system_command_injection.rb
gitlab-styles-10.0.0 lib/rubocop/cop/gitlab_security/system_command_injection.rb