Command injection warning silenced with equality operator #1199

JacobEvelyn · 2018-05-08T14:34:07Z

Brakeman version: 4.2.1
Rails version: 5.1.6
Ruby version: 2.3.4

I expect this code to produce a command injection warning in brakeman:

def dangerous(foo)
  `echo #{foo}` == "1"
end

but the == "1" appears to prevent brakeman from spotting the vulnerability.

The text was updated successfully, but these errors were encountered:

JacobEvelyn · 2018-05-08T15:46:28Z

And, relatedly, brakeman does not warn about this either:

def dangerous(foo)
  !system("echo #{foo}")
end

presidentbeef · 2018-05-08T18:23:37Z

Thanks, Jake.

The first one appears to already be fixed on master.

The second one is an easy fix.

fixes #1199

presidentbeef added a commit that referenced this issue May 9, 2018

Check exec-type calls if they are targets

4058c0a

fixes #1199

presidentbeef added a commit that referenced this issue May 9, 2018

Check exec-type calls if they are targets

fc1dd99

fixes #1199

presidentbeef mentioned this issue May 9, 2018

Check exec-type calls if they are targets #1200

Merged

presidentbeef closed this as completed in #1200 May 9, 2018

dependencies bot mentioned this issue May 14, 2018

Update brakeman in / from 4.2.1 to 4.3.0 severest/question-cove#41

Merged

Repository owner locked and limited conversation to collaborators Jul 14, 2018

Provide feedback