Unsanitized user input in OS command

• Rule ID: ruby_lang_exec_using_user_input
• Languages: ruby
• Source: exec_using_user_input.yml

Description

Executing OS commands with user input can lead to command injection attacks. This vulnerability occurs when an application dynamically generates a command to the operating system using data supplied by the user without proper sanitization.

Remediations

• Do not directly use user input to form OS commands. This can allow attackers to execute arbitrary commands.

  system(params[:command]) # unsafe

• Do validate or sanitize user input before using it in OS commands. Prefer using static command strings where possible.
• Do use indirect methods for incorporating user input into commands, such as selecting from predefined options.

  command =
    case params[:action]
    when "option1"
      "command1"
    when "option2"
      "command2"
    end
  
  system(command)

References

• OWASP Ruby command injection cheat sheet
• OWASP OS command injection cheat sheet

Associated CWE

• CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_exec_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_exec_using_user_input