search

ruby / uri

URI is a module providing classes to handle Uniform Resource Identifiers
https://ruby.github.io/uri/
Other
78 stars 42 forks source link

[RFC] Deprecate `URI.open("|command-here")` due to security issues #72

Closed postmodern closed 1 year ago

postmodern commented 1 year ago

I believe that URI.open() should not accept "|command" style arguments (ex: URI.open("|ls")). I understand that URI.open() builds upon Kernel.open(), which does accept "|command" style arguments, however "|command-here" is not a valid URI and thus should not be accepted by URI.open(). This would also help close a common vulnerability code path where developers pass arbitrary user input to URI.open() assuming that only valid URIs will be passed to it, but an attacker can achieve Remote Command Execution by passing in |evil-command-here instead of a https:// URI.

This could be deprecated with a warning at first, then removed entirely in Ruby 4.0.0.

Fryguy commented 1 year ago

I highly doubt this is even used in the wild, so it's probably not worth waiting for a major version.

postmodern commented 1 year ago

Also, I wasn't sure if I should report Deprecation RFCs to here, or to https://bugs.ruby-lang.org/.

postmodern commented 1 year ago

Oops, I should have reported this to ruby/open-uri.