Closed ooooooo-q closed 6 years ago
The use of Kernel.open
is intentional so one could download and open a tarball from a URL, but as you say this could be an injection. I would happily accept a PR to add this warning to the README with a link to the article you suggested. I don’t think that Minitar.{,un}pack
accepts an IO, but that would be a way of offloading the security risk to the consumer of the library (Minitar.unpack(open('|touch xxx'))
) without actually solving anything.
Fixed in #30 (an expansion of #29).
overview
Archive::Tar::Minitar::Ouput
andArchive::Tar::Minitar::Input
useKernel.open
, ruby'sKernel.open
has multiple behaviors. Especially when a character string starting with|
is used, it becomes command injection. (refer: https://sakurity.com/blog/2015/02/28/openuri.html)PoC