Escape command parameters with Shellwords.escape

[FooBarWidget]

Building a shell command string suffers from the same problems as building an SQL query string. You should escape parameters not only to prevent shell injection, but also to prevent syntax errors in case your input contains unexpected characters.

For example, consider mongo-main-mongos-manager/mongo_main_mongos.rb:

json = `docker exec #{TASK}-#{Mech::ID}-worker mongo localhost/admin --eval 'printjson(#{command})'`.chomp.....

You should use ShellWords.escape (part of require 'shellwords') to escape command:

escaped_eval_arg = Shellwords.escape("printjson(#{command})")
json = `docker exec #{TASK}-#{Mech::ID}-worker mongo localhost/admin --eval #{escaped_eval_arg}`.chomp.....

The usage of Shellwords.escape solves the following problem which you have already documented:

# THE DOCKER COMMAND MAY NOT CONTAIN ' OR " SYMBOLS
# If it does, ruby will start the command with a `sh -c` wrapper, causing Process.kill to fail