Dozens of Ruby-related CVEs have been caused by user input being passed to the top-level Kernel.open() method, which not only accepts paths or URIs (if open-uri has been loaded), but also "|command-here" commands which are then opened using IO.popen() resulting in Remote Command Execution (RCE) vulnerabilities. In the next minor Ruby version (3.3.0) a deprecation warning will be printed if a "|command-here" input is given to Kernel.open(). Hopefully, in Ruby 4.0 this insecure feature will be removed.

You are viewing a single thread.
View all comments
2 points

I’m glad security is getting some good efforts!

permalink
report
reply

Ruby

!ruby@programming.dev

Create post

A community for discussion and news about Ruby programming.

Learning Ruby?

Tools

Documentation

Books

Screencasts

News and updates

Community stats

  • 5

    Monthly active users

  • 72

    Posts

  • 55

    Comments