I have some open source software packages that were written in Ruby by a
third
party that make use of external programs. For the purposes of security
auditing, and for making appropriate fixes, I need to locate all
instances
within the code, where an external program is being called.
What keywords or functions would I need to locate?
I am thinking of using grep to simply search for the function names.
Would
that be sufficient, or is it possible that function names are split
across
several lines, making it possible for some instances to be missed during
the
audit?
I have some open source software packages that were written in Ruby by a
third
party that make use of external programs. For the purposes of security
auditing, and for making appropriate fixes, I need to locate all
instances
within the code, where an external program is being called.
What keywords or functions would I need to locate?
I am thinking of using grep to simply search for the function names.
Would
that be sufficient, or is it possible that function names are split
across
several lines, making it possible for some instances to be missed during
the
audit?
If you’re asking this question, then I’m sorry to say that you shouldn’t
be doing this audit in the first place. To do an effective security
audit of a program written in Ruby, you must understand the language at
a reasonably advanced level. Hire an experienced Rubyist for this job.
Or, since these are open source programs, perhaps you should contact
their developers to discuss security concerns.
If you’re asking this question, then I’m sorry to say that you shouldn’t
be doing this audit in the first place. To do an effective security
audit of a program written in Ruby, you must understand the language at
a reasonably advanced level. Hire an experienced Rubyist for this job.
I haven’t got the cash because I only work part time, so I need to do
this
myself.
I am thinking that I can use grep to locate the code lines, and then
reverse
engineer the code section, to find out where the command data comes
from, and
whether or not it is from a secure source.
A quick google tells me that I need to look for backticks or a system
command.
Does Ruby support all of the system calls by name? (For example do I
also need
to look for exec and other system calls?).
Can commands avoid grep by being split using a line break?
Can macros be derived from strings and then subsequently used as a
command
by using only the macro name?
I am thinking that I can use grep to locate the code lines, and then reverse
engineer the code section, to find out where the command data comes from, and
whether or not it is from a secure source.
Maybe.
A quick google tells me that I need to look for backticks or a system command.
Or %x.
Can commands avoid grep by being split using a line break?
Perhaps?
Can macros be derived from strings and then subsequently used as a command
by using only the macro name?
Something like that is certainly conceivable.
Okay, here’s your problem: Imagine that there’s some underlying
dangerous
call:
foo(“bar”)
And you want to hide this. Okay. How about…
x = ‘b’
x << a
x << r
y = ‘f’
y << ‘o’
y << y[1]
y << ‘(’
y << ‘x’
y << ‘)’
eval y
In short, the question is whether you are worried about intentional
deception,
or just about carelessness. For carelessness, you probably don’t need
to
worry about split lines and so on, and a quick scan through the project
for
places where commands might be run may do it.
I have some open source software packages that were written in Ruby by a third
party that make use of external programs. For the purposes of security
auditing, and for making appropriate fixes, I need to locate all instances
within the code, where an external program is being called.
What keywords or functions would I need to locate?
There are quite a number of them. Here are some of them:
cmd or %x"cmd" (arbitrary delimiters for %x)
system
IO.popen
File.open
You should also look at IO.fork, IO.pipe, anything using the Process
class, and probably a lot of other stuff.
Look at “Spawning new processes” in Programming Ruby:
“The file-naming convention of many IO methods and Kernel.open will also
spawn subprocesses if you put a | as the first character of the
filename.”
Make sure you realize the implications of what you’re doing. As others
have pointed out, to do a real job of security audit, you need to know
the language. If you’re just doing a CYA, that’s another story.
If you’re asking this question, then I’m sorry to say that you shouldn’t
be doing this audit in the first place. To do an effective security
audit of a program written in Ruby, you must understand the language at
a reasonably advanced level. Hire an experienced Rubyist for this job.
I haven’t got the cash because I only work part time, so I need to do
this
myself.
OK. Since you can’t spend money, you’ll need to spend time learning
Ruby to at least an intermediate level. It’s not simply a question of
looking for specific literal keywords.