diff options
author | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-11-25 17:39:23 +0100 |
---|---|---|
committer | Jacob Vosmaer <contact@jacobvosmaer.nl> | 2015-11-25 17:40:01 +0100 |
commit | c4ea06e5e40c2108ed0ee79befc71790f2fc08b4 (patch) | |
tree | ad78e1181b130519fdeca301491b04d9392e1386 | |
parent | 1a75d086b53d799ac10f77acfb198f2c5ea95621 (diff) | |
download | gitlab-shell-c4ea06e5e40c2108ed0ee79befc71790f2fc08b4.tar.gz |
Disallow execing strings
Passing strings to Kernel::exec leads to remote code execution.
-rw-r--r-- | lib/gitlab_shell.rb | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/gitlab_shell.rb b/lib/gitlab_shell.rb index a33e2e3..a3509ec 100644 --- a/lib/gitlab_shell.rb +++ b/lib/gitlab_shell.rb @@ -119,6 +119,13 @@ class GitlabShell # This method is not covered by Rspec because it ends the current Ruby process. def exec_cmd(*args) + # If you want to call a command without arguments, use + # exec_cmd(['my_command', 'my_command']) . Otherwise use + # exec_cmd('my_command', 'my_argument', ...). + if args.count == 1 && !args.first.is_a?(Array) + raise DisallowedCommandError + end + env = { 'PATH' => ENV['PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], |