tags:

views:

105

answers:

2
+1  Q: 

What's the best way in Ruby to clean up a user-provided url string so that it's safe to interpolate into a shell command?

I want to let a user of a web app enter a URL and then pass that URL onto curl. I'd rather use curl than Net::HTTP or open-uri. But this poses a security risk. What's the best way to check the URL string and prevent any injection attacks?

I'm thinking of just using a regular expression like this to check for an injection attack:

raise "possible injection attack" if url =~ /[\s']/

and if that check succeeds, then just invoke curl like so

html = `curl '#{url}'`

Is this safe enough?

A: 

Maybe you're better off using a library like libcurl (to avoid having to use shell commands) ?

ChristopheD  2009-12-20 19:18:58
Thanks. I'll look into that, but I'm still interested in the answer to my original question as a matter of general technique, since there are a lot of unix tools I would be able to love to reuse from Ruby.
dan  2009-12-20 19:22:49
I guess it's probable to assume most popular unix tools will have Ruby bindings for them (I know this is certainly the case with Python).
ChristopheD  2009-12-20 19:24:27
Is there something seriously wrong with wanting to use Ruby (or Python) as glue code that invokes and orchestrates small external programs via the shell? It seems that there is a strong bias here against that, although the Unix Philosophy used to encourage this sort of style.
dan  2009-12-20 19:57:19
+1  A:  
system("curl", url)

this is safe because parameters are directly passed to the main(argv) of the command rather than being parsed by a command line processor. For example system("echo", "* && echo shenanigan") literally outputs * && echo shenanigan.

Adrian  2009-12-20 20:10:04
Thanks. I think `system(cmd [, arg, ...])` is more what I was looking for but you pointed me in the right direction.
dan  2009-12-20 20:15:37
True enough, I keep confusing the two: `exec` replaces the current script with the command, while `system` continues the script afterwards. Fix'd.
Adrian  2009-12-20 20:19:21
and why is this safe to do?
samg  2009-12-20 20:27:05
dan  2009-12-20 20:36:11
The command is directly called, imagine calling `main(argv)` with an array of strings, rather than passing a command line to the command line processor. In deed, @dan's example outputs the parameter literally.
Adrian  2009-12-20 21:58:49

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?