Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Calling shell command from ruby with proper argument escaping

I want to do the following securely

system "echo '#{params[:message]}' > /dev/log"

What is the proper way for escaping arguments when calling a native command?

(Example evil input: '; rm -Rf *; echo 'I won.)

like image 970
Notinlist Avatar asked May 10 '11 10:05

Notinlist


People also ask

How do you call a shell script in Ruby?

First, note that when Ruby calls out to a shell, it typically calls /bin/sh , not Bash. Some Bash syntax is not supported by /bin/sh on all systems. This is like many other languages, including Bash, PHP, and Perl. Returns the result (i.e. standard output) of the shell command.

How do I run a command line in Ruby?

Press Ctrl twice to invoke the Run Anything popup. Type the ruby script. rb command and press Enter . If necessary, you can specify the required command-line options and script arguments.

What is SH in Ruby?

Pipe /etc/printcap into a file¶ ↑ In this example we will read the operating system file /etc/printcap , generated by cupsd , and then output it to a new file relative to the pwd of sh . sh = Shell.

What is exec in Ruby?

exec replaces the current process with the new process and never returns. system invokes another process and returns its exit value to the current process. Using backticks invokes another process and returns the output of that process to the current process.


1 Answers

If you do

system "echo", params[:message]

Then the second argument, will be sent as an argument, it will not be executed.

like image 167
Rob Di Marco Avatar answered Oct 18 '22 17:10

Rob Di Marco