this post was submitted on 22 Jul 2023
2 points (100.0% liked)

Ruby InfoSec

2 readers
1 users here now

Where Ruby and InfoSec intersect.

founded 1 year ago
MODERATORS
 

Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open() method, which not only accepts paths or URIs (if open-uri has been loaded), but also "|command-here" commands which are then opened using IO.popen() resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here" input is given to Kernel.open(). Hopefully, in Ruby 4.0 this insecure feature will be removed.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here