Security audit & tests for system commands
colinux opened this issue · 0 comments
colinux commented
The SystemCommand
is a class executing system commands . This class is instantiated with the program name (like "whois"), and an array of arguments for this command.
# app/services/system_command.rb
def initialize(program, args)
# ...
end
The program always comme from our code, but part of arguments are coming from users (e.g. domains string for whois check).
Each argument is put inside double quotes and escaped. The the final string command is computed and given to Open4 library.
We have to be sure there is no way to execute malicious code.