Command Injection

Some Ruby core methods accept string data that includes text to be executed as a system command.

They should not be called with unknown or unsanitized commands.

These methods include:

Some methods execute a system command only if the given path name starts with a |:

Note that some of these methods do not execute commands when called from subclass File: