Safe command line execution

Hi all. I have a application that needs to execute a system call via
command line. However, the problem I’m running into is this particular
command takes a username and password both of which can be any pattern
and
combination of special characters. Does anyone know of a way to safely
execute this command with these free form parameters without risk of
malicious code being inadvertently executed? The pattern of the command
is
as follows:

/usr/bin/cmd -username #{username} -password #{password}

At 2009-10-07 03:15PM, “Zundra D.” wrote:

Hi all. I have a application that needs to execute a system call via
command line. However, the problem I’m running into is this particular
command takes a username and password both of which can be any pattern and
combination of special characters. Does anyone know of a way to safely
execute this command with these free form parameters without risk of
malicious code being inadvertently executed? The pattern of the command is
as follows:

/usr/bin/cmd -username #{username} -password #{password}

Call system with more than one argument, and you don’t get the shell
involved:

system "/usr/bin/cmd", "-username", username, "-password", password

Zundra D. wrote:

Does anyone know of a way to safely execute this command with
these free form parameters without risk of malicious code being
inadvertently executed? The pattern of the command is as
follows:

/usr/bin/cmd -username #{username} -password #{password}

Just avoid any shell expansion. This can be done by passing the
arguments to Kernel#system individually:

system("/usr/bin/cmd", “-username”, username, “-password”,
password)

See the docs for Kernel#system and Kernel#exec.

Henning

On Wednesday 07 October 2009 02:15:21 pm Zundra D. wrote:

/usr/bin/cmd -username #{username} -password #{password}

As others have mentioned, you could do system like this instead:

system ‘/usr/bin/cmd’, ‘-username’, username, ‘-password’, password

But there’s a security flaw in the way you’re doing this – chances are,
anyone
on the system can read those straight from the system process list. Is
there
any way to supply these credentials to that command, other than the
commandline?

Hi,

Am Donnerstag, 08. Okt 2009, 04:15:21 +0900 schrieb Zundra D.:

/usr/bin/cmd -username #{username} -password #{password}

It has already been said that this is very dangerous. Please check
the command you want to execute for something like ssh’s
SSH_ASKPASS environment variable or gpg’s --passphrase-fd option.

Bertram

Thanks all for the input. Unfortunately there is no other way to
execute
this particular script. It is actually a custom written application
written
by another team at my company. However, the device this application is
controlling does not allow users access to a shell so correct me if I’m
wrong the risk here are minimal in that regard. The only safeguard I
was
looking for which has been answered was against the apache user
attempting
to execute some malicious code. If a user happens to gain shell access
to
this device we have way bigger problems. Again, thanks everyone for the
input and please let me know if I’m overlooking something.