Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In my Rails controller, I take a URL that the user inputs and runs the system command wget:
system("wget #{url}")
I’m afraid that the user might put in something like www.google.com && rm -rf ., which would make the controller execute the command
system("wget www.google.com && rm -rf .")
which deletes everything. How should I prevent against this kind of attacks? I’m not sure what other things the user could put in to harm my system.
Per this thread:
You can avoid shell expansion by passing arguments to the script individually:
Per the documentation on Kernel#system this form does not invoke a shell. Constructs like
&&are shell constructs, so if you use this form, then the param will be passed to/bin/wgetliterally as an argument.That said, still be suspicious of input, sanitize where possible, and if feasible, run it as a non-privileged (or better yet, jailed) user.