Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive when passing a command array to Open3.pipeline #1862

Closed
alexandergitter opened this issue Aug 10, 2024 · 1 comment · Fixed by #1868
Closed

False positive when passing a command array to Open3.pipeline #1862

alexandergitter opened this issue Aug 10, 2024 · 1 comment · Fixed by #1868

Comments

@alexandergitter
Copy link

alexandergitter commented Aug 10, 2024
edited
Loading

Background

Brakeman version: 6.1.2
Rails version: 7.2.0
Ruby version: 3.3.4

Link to Rails application code: -

False Positive

Full warning from Brakeman:

Confidence: High
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: Open3.pipeline(["ls", params["test"]])
File: a_file.rb
Line: 9

Relevant code:

Open3.pipeline(["ls", params["test"]])

Why might this be a false positive?
As far as I know, passing an array for a command to Open3.pipeline will treat the first element as the command and all other elements as parameters to the command, which makes the parameter elements safe against command injections.
presidentbeef added a commit that referenced this issue Sep 1, 2024
@presidentbeef
Revamp command injection in pipeline* calls
b104f7a 
Fixes #1862
presidentbeef added a commit that referenced this issue Sep 1, 2024
@presidentbeef
Revamp command injection in pipeline* calls
9e8cd79 
Fixes #1862
@presidentbeef presidentbeef mentioned this issue Sep 1, 2024
Merged
@presidentbeef
Copy link
Owner

Agree.

Pretty sure when those methods were adding to the check, I gave up on tracking down the specifics of every safe/unsafe way of running commands...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Revamp command injection in pipeline* calls presidentbeef/brakeman
2 participants
@presidentbeef @alexandergitter