New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Command injection false positive with nested system call #1399
Comments
Hi @toupeira thank you for reporting! It seems that the string interpolation in |
I saw this fixed some issues in GitLab(-ci/hq) and thought "Huh, looks like someone does use this code pattern" and then I realized 🤣 |
Haha yeah... which reminds me, I still need to finish watching those security training videos with you and Jim 😁 Thanks for the fix! 👍 |
Background
Brakeman version: 4.6.1
Rails version: 5.2.3
Ruby version: 2.6.3
False Positive
Full warning from Brakeman:
Relevant code:
Note: I had to place this file in e.g.
lib/foo.rb
rather than the toplevel directory for Brakeman to pick it up, even though I passed--only-files foo.rb
.Why might this be a false positive?
The first
system
call outside ofFoo
is the same as intest1
, but not reported as a warning.Using a normal literal instead of
%W()
as intest2
doesn't get reported as a warning either, but this seems unnecessary. I originally thought%W()
can result in variables containing whitespace to be interpreted as two arguments, but Ruby is smart enough to protect against that:The text was updated successfully, but these errors were encountered: