Always sanitize input data before using it in sensitive operations to prevent injection vulnerabilities. This applies to shell commands, file operations, and URL handling.
For shell commands:
# VULNERABLE: Direct interpolation of variables into command
full_command = `#{HOMEBREW_BREW_FILE} #{brew_command} #{argument}`
# SECURE: Escape each argument properly
require 'shellwords'
full_command = [HOMEBREW_BREW_FILE, brew_command, argument].compact
.map { |arg| Shellwords.escape(arg) }
For file operations:
# VULNERABLE: Using IO.read/Kernel.open with non-constant values
content = IO.read(filepath)
# SECURE: Use File.read instead
content = File.read(filepath)
For URL operations:
# VULNERABLE: Using URI.open with non-constant values
response = URI.open(generated_url).read
# SECURE: Use URI().open instead
response = URI(generated_url).open.read
These patterns help prevent several classes of security vulnerabilities, including command injection, arbitrary file access, and server-side request forgery. Always assume input data could be malicious and handle it accordingly.
Enter the URL of a public GitHub repository