Command injection false positive with nested system call

[toupeira]

Background

Brakeman version: 4.6.1
Rails version: 5.2.3
Ruby version: 2.6.3

False Positive

Full warning from Brakeman:

Confidence: Medium
Category: Command Injection
Check: Execute
Message: Possible command injection
Code: system(*["foo", "bar", "#{value}"])
File: lib/foo.rb
Line: 5

Relevant code:

system(*%W(foo bar #{value}))

module Foo
  def test1
    system(*%W(foo bar #{value}))
  end

  def test2
    system('foo', 'bar', value)
  end
end

Note: I had to place this file in e.g. lib/foo.rb rather than the toplevel directory for Brakeman to pick it up, even though I passed --only-files foo.rb.

Why might this be a false positive?

The first system call outside of Foo is the same as in test1, but not reported as a warning.

Using a normal literal instead of %W() as in test2 doesn't get reported as a warning either, but this seems unnecessary. I originally thought %W() can result in variables containing whitespace to be interpreted as two arguments, but Ruby is smart enough to protect against that:

%W(#{'foo bar'}) === ['foo bar'] # -> true

[presidentbeef]

Hi @toupeira thank you for reporting!

It seems that the string interpolation in test1 is being wrongly treated as dangerous.

[presidentbeef]

I saw this fixed some issues in GitLab(-ci/hq) and thought "Huh, looks like someone does use this code pattern" and then I realized 🤣

[toupeira]

I saw this fixed some issues in GitLab(-ci/hq) and thought "Huh, looks like someone does use this code pattern" and then I realized 🤣

Haha yeah... which reminds me, I still need to finish watching those security training videos with you and Jim 😁

Thanks for the fix! 👍