Forum: Ruby Looking for external program invocations

I have some open source software packages that were written in Ruby by a 
third
party that make use of external programs. For the purposes of security
auditing, and for making appropriate fixes, I need to locate all 
instances
within the code, where an external program is being called.

What keywords or functions would I need to locate?

I am thinking of using grep to simply search for the function names. 
Would
that be sufficient, or is it possible that function names are split 
across
several lines, making it possible for some instances to be missed during 
the
audit?

Mark.

Mark Hobley wrote:
> I have some open source software packages that were written in Ruby by a 
> third
> party that make use of external programs. For the purposes of security
> auditing, and for making appropriate fixes, I need to locate all 
> instances
> within the code, where an external program is being called.
> 
> What keywords or functions would I need to locate?
> 
> I am thinking of using grep to simply search for the function names. 
> Would
> that be sufficient, or is it possible that function names are split 
> across
> several lines, making it possible for some instances to be missed during 
> the
> audit?

If you're asking this question, then I'm sorry to say that you shouldn't 
be doing this audit in the first place.  To do an effective security 
audit of a program written in Ruby, you must understand the language at 
a reasonably advanced level.  Hire an experienced Rubyist for this job.

Or, since these are open source programs, perhaps you should contact 
their developers to discuss security concerns.

> 
> Mark.

Best,
-- 
Marnen Laibow-Koser
http://www.marnen.org
marnen@marnen.org

Marnen Laibow-Koser <marnen@marnen.org> wrote:
> If you're asking this question, then I'm sorry to say that you shouldn't 
> be doing this audit in the first place.  To do an effective security 
> audit of a program written in Ruby, you must understand the language at 
> a reasonably advanced level.  Hire an experienced Rubyist for this job.

I haven't got the cash because I only work part time, so I need to do 
this
myself.

I am thinking that I can use grep to locate the code lines, and then 
reverse
engineer the code section, to find out where the command data comes 
from, and
whether or not it is from a secure source.

A quick google tells me that I need to look for backticks or a system 
command.

Does Ruby support all of the system calls by name? (For example do I 
also need
to look for exec and other system calls?).

Can commands avoid grep by being split using a line break?

Can macros be derived from strings and then subsequently used as a 
command
by using only the macro name?

Mark.

On 2010-02-09, Mark Hobley <markhobley@hotpop.donottypethisbit.com> 
wrote:
> I am thinking that I can use grep to locate the code lines, and then reverse
> engineer the code section, to find out where the command data comes from, and
> whether or not it is from a secure source.

Maybe.

> A quick google tells me that I need to look for backticks or a system command.

Or %x.

> Can commands avoid grep by being split using a line break?

Perhaps?

> Can macros be derived from strings and then subsequently used as a command
> by using only the macro name?

Something like that is certainly conceivable.

Okay, here's your problem:  Imagine that there's some underlying 
dangerous
call:

  foo("bar")

And you want to hide this.  Okay.  How about...

  x = 'b'
  x << a
  x << r
  y = 'f'
  y << 'o'
  y << y[1]
  y << '('
  y << 'x'
  y << ')'
  eval y

In short, the question is whether you are worried about intentional 
deception,
or just about carelessness.  For carelessness, you probably don't need 
to
worry about split lines and so on, and a quick scan through the project 
for
places where commands might be run may do it.

-s

On Feb 8, 2010, at 16:11 , Mark Hobley wrote:

> I have some open source software packages that were written in Ruby by a third
> party that make use of external programs. For the purposes of security
> auditing, and for making appropriate fixes, I need to locate all instances
> within the code, where an external program is being called.
> 
> What keywords or functions would I need to locate?

There are quite a number of them. Here are some of them:

`cmd` or %x"cmd" (arbitrary delimiters for %x)
system
IO.popen
File.open

You should also look at IO.fork, IO.pipe, anything using the Process 
class, and probably a lot of other stuff.

Look at "Spawning new processes" in Programming Ruby:

"The file-naming convention of many IO methods and Kernel.open will also 
spawn subprocesses if you put a | as the first character of the 
filename."

Make sure you realize the implications of what you're doing. As others 
have pointed out, to do a _real_ job of security audit, you need to know 
the language. If you're just doing a CYA, that's another story.

Ryan Davis <ryand-ruby@zenspider.com> wrote:
> Look at "Spawning new processes" in Programming Ruby:

Blimey! That was a bit of luck! A section specifically on spawning new
processes. Thanks Ryan!.

I wonder if that is complete, or whether there are methods outside of 
this.
Anyway, that has given me a good starting point.

I wonder if there is any software that can be used to perform such 
audits on
Ruby code.

Mark.

Mark Hobley wrote:
> Marnen Laibow-Koser <marnen@marnen.org> wrote:
>> If you're asking this question, then I'm sorry to say that you shouldn't 
>> be doing this audit in the first place.  To do an effective security 
>> audit of a program written in Ruby, you must understand the language at 
>> a reasonably advanced level.  Hire an experienced Rubyist for this job.
> 
> I haven't got the cash because I only work part time, so I need to do 
> this
> myself.
> 

OK.  Since you can't spend money, you'll need to spend time learning 
Ruby to at least an intermediate level.  It's not simply a question of 
looking for specific literal keywords.

Best,
-- 
Marnen Laibow-Koser
http://www.marnen.org
marnen@marnen.org