Unsanitized user input in FTP request
- Rule ID: ruby_lang_ftp_using_user_input
- Languages: ruby
- Source: ftp_using_user_input.yml
Description
Using unsanitized user input in FTP requests can lead to severe security vulnerabilities. When your application uses raw user input in FTP operations without proper sanitization, it opens up avenues for attackers. They could exploit this to perform code injection attacks, where malicious code is executed by the application, or path traversal attacks, which allow unauthorized access to files and directories outside of the intended scope.
Remediations
- Do not use unsanitized user input to form filenames or file paths in FTP operations. Always sanitize input to prevent malicious data from being processed.
Net::FTP.open("public/#{params["resource_name"]}.txt") do # unsafe
# ...
end - Do not pass unsanitized user input as arguments to FTP methods. Ensure input is validated or sanitized before use.
Net::FTP.open("example.txt", username: params[:user]) do # unsafe
# ...
end - Do use a safelist for filenames and paths, allowing only known patterns.
- Do implement strict input validation checks, such as length, format, and type, to ensure only expected data is processed.
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_lang_ftp_using_user_input
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_lang_ftp_using_user_input