Disallow execing strings

Passing strings to Kernel::exec leads to remote code execution.

Disallow execing strings
Passing strings to Kernel::exec leads to remote code execution.
c4ea06e5 · Jacob Vosmaer · 1a75d086 · c4ea06e5
Commit c4ea06e5 authored Nov 25, 2015 by Jacob Vosmaer
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

lib/gitlab_shell.rb lib/gitlab_shell.rb +7 -0

No files found.
--- a/lib/gitlab_shell.rb
+++ b/lib/gitlab_shell.rb
@@ -119,6 +119,13 @@ class GitlabShell

  # This method is not covered by Rspec because it ends the current Ruby process.
  def exec_cmd(*args)
+    # If you want to call a command without arguments, use
+    # exec_cmd(['my_command', 'my_command']) . Otherwise use
+    # exec_cmd('my_command', 'my_argument', ...).
+    if args.count == 1 && !args.first.is_a?(Array)
+      raise DisallowedCommandError
+    end
+
    env = {
      'PATH' => ENV['PATH'],
      'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'],