Command Injection¶ ↑

Some Ruby core methods accept string data that includes text to be executed as a system command.

They should not be called with unknown or unsanitized commands.

These methods include:

• Kernel.exec

• Kernel.spawn

• Kernel.system

• ‘command` (backtick method) (also called by the expression %x[command]).

• IO.popen (when called with other than "-").

Some methods execute a system command only if the given path name starts with a |:

• Kernel.open(command).

• IO.read(command).

• IO.write(command).

• IO.binread(command).

• IO.binwrite(command).

• IO.readlines(command).

• IO.foreach(command).

• URI.open(command).

Note that some of these methods do not execute commands when called from subclass File:

• File.read(path).

• File.write(path).

• File.binread(path).

• File.binwrite(path).

• File.readlines(path).

• File.foreach(path).