I want to let a user of a web app enter a URL and then pass that URL onto curl. I'd rather use curl than Net::HTTP or open-uri. But this poses a security risk. What's the best way to check the URL string and prevent any injection attacks?
我想让网络应用的用户输入一个网址,然后将该网址传递给curl。我宁愿使用curl而不是Net :: HTTP或open-uri。但这会带来安全风险。检查URL字符串并防止任何注入攻击的最佳方法是什么?
I'm thinking of just using a regular expression like this to check for an injection attack:
我正在考虑使用这样的正则表达式来检查注入攻击:
raise "possible injection attack" if url =~ /[\s']/
and if that check succeeds, then just invoke curl like so
如果该检查成功,那么只需调用curl
html = `curl '#{url}'`
Is this safe enough?
这样安全吗?
2 个解决方案
#1
2
system("curl", url)
this is safe because parameters are directly passed to the main(argv)
of the command rather than being parsed by a command line processor. For example system("echo", "* && echo shenanigan")
literally outputs * && echo shenanigan
.
这是安全的,因为参数直接传递给命令的main(argv),而不是由命令行处理器解析。例如系统(“echo”,“* && echo shenanigan”)字面上输出* && echo shenanigan。
#2
1
Maybe you're better off using a library like libcurl (to avoid having to use shell commands) ?
也许你最好使用像libcurl这样的库(以避免使用shell命令)?
#1
2
system("curl", url)
this is safe because parameters are directly passed to the main(argv)
of the command rather than being parsed by a command line processor. For example system("echo", "* && echo shenanigan")
literally outputs * && echo shenanigan
.
这是安全的,因为参数直接传递给命令的main(argv),而不是由命令行处理器解析。例如系统(“echo”,“* && echo shenanigan”)字面上输出* && echo shenanigan。
#2
1
Maybe you're better off using a library like libcurl (to avoid having to use shell commands) ?
也许你最好使用像libcurl这样的库(以避免使用shell命令)?