Commit c4ea06e5 authored by Jacob Vosmaer's avatar Jacob Vosmaer

Disallow execing strings

Passing strings to Kernel::exec leads to remote code execution.
parent 1a75d086
...@@ -119,6 +119,13 @@ class GitlabShell ...@@ -119,6 +119,13 @@ class GitlabShell
# This method is not covered by Rspec because it ends the current Ruby process. # This method is not covered by Rspec because it ends the current Ruby process.
def exec_cmd(*args) def exec_cmd(*args)
# If you want to call a command without arguments, use
# exec_cmd(['my_command', 'my_command']) . Otherwise use
# exec_cmd('my_command', 'my_argument', ...).
if args.count == 1 && !args.first.is_a?(Array)
raise DisallowedCommandError
end
env = { env = {
'PATH' => ENV['PATH'], 'PATH' => ENV['PATH'],
'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'], 'LD_LIBRARY_PATH' => ENV['LD_LIBRARY_PATH'],
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment