0

Is there any way to disable malicious input from shelling out and running in a server?

For example, When receiving templated ERB input from a user like in the code snippet below.

Note that this is a simple proof of concept so that it can be copied on a terminal within irb but the malicious input could be any arbitrary bash commands.

require "erb"
malicious_input_from_user = '<%= `ls` %>'
template = ERB.new(malicious_input_from_user)
template.result
jugutier
  • 179
  • 1
  • 13
  • 1
    Although it appears it hasn't been maintained in a while, you could look into https://github.com/markpent/SandboxedERB , perhaps it gives some ideas. – Casper Jul 13 '18 at 15:52
  • 2
    **NEVER TRUST USER INPUT** comes to mind. Why would your user be submitting "templated ERB" and why are you treating this as safe? – engineersmnky Jul 13 '18 at 16:37
  • @engineersmnky this is more of a curiosity within the ruby language and how RoR works, there’s many cases I can think for similar needs that’s not just the user submitting themplated erb, one would be a partial in RoR doing something with user input coming from a form that could allow malicious input (sort of like not using prepared statements for input) another one could be creating a dsl language based on ruby which could also allow malicious input... – jugutier Jul 13 '18 at 17:53
  • 1
    @jugutier in that case its not exactly injectable like that in ROR. If we were to expand your example to `<%= malicous_input_from_user %>` the input would actually be escaped during the template rendering to avoid such injections. [This Post](https://stackoverflow.com/a/21886874/1978251) offers a decent high level perspective – engineersmnky Jul 13 '18 at 17:59

1 Answers1

1

Sandboxing Ruby is extremely difficult (there's plenty of ways for ruby code to make your life difficult, besides using ``). There are various projects that attempt to do so, whether by pre-validating, mangling the runtime environment, wrapping everything in a docker container, or otherwise. I'd treat them all as a very last resort.

The safest option is to use a deliberately restricted templating language, like Liquid, instead.

matthewd
  • 4,332
  • 15
  • 21
  • Thanks for the quick answer! I'll take a look into liquid. Still surprised that there isn't a build in way of doing this, I can see how a RoR app could easily be taking input from a form field to expand as a partial which could contain malicious input like my example. I barely use Ruby and RoR so maybe people just don't use ERB with user input? – jugutier Jul 13 '18 at 15:49
  • No, they don't; it's directly parallel to calling `eval` with user input, which is a bad idea for all the same reasons as running shell commands from user input... anything a shell command could do, pure ruby script can do too. – matthewd Jul 13 '18 at 16:02