Unsanitized user input in FTP request

• Rule ID: ruby_lang_ftp_using_user_input
• Languages: ruby
• Source: ftp_using_user_input.yml

Description

Using unsanitized user input in FTP requests can lead to severe security vulnerabilities. When your application uses raw user input in FTP operations without proper sanitization, it opens up avenues for attackers. They could exploit this to perform code injection attacks, where malicious code is executed by the application, or path traversal attacks, which allow unauthorized access to files and directories outside of the intended scope.

Remediations

• Do not use unsanitized user input to form filenames or file paths in FTP operations. Always sanitize input to prevent malicious data from being processed.

  Net::FTP.open("public/#{params["resource_name"]}.txt") do # unsafe
    # ...
  end

• Do not pass unsanitized user input as arguments to FTP methods. Ensure input is validated or sanitized before use.

  Net::FTP.open("example.txt", username: params[:user]) do # unsafe
    # ...
  end

• Do use a safelist for filenames and paths, allowing only known patterns.
• Do implement strict input validation checks, such as length, format, and type, to ensure only expected data is processed.

References

• OWASP code injection
• OWASP path traversal

Associated CWE

• CWE-73: External Control of File Name or Path

OWASP Top 10

• A04:2021 - Insecure Design

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_lang_ftp_using_user_input

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_lang_ftp_using_user_input