Ruby中清除用户提供的url字符串的最佳方法是什么,以便可以安全地插入到shell命令中?

时间:2022-08-29 22:14:26

I want to let a user of a web app enter a URL and then pass that URL onto curl. I'd rather use curl than Net::HTTP or open-uri. But this poses a security risk. What's the best way to check the URL string and prevent any injection attacks?

我想让网络应用的用户输入一个网址,然后将该网址传递给curl。我宁愿使用curl而不是Net :: HTTP或open-uri。但这会带来安全风险。检查URL字符串并防止任何注入攻击的最佳方法是什么?

I'm thinking of just using a regular expression like this to check for an injection attack:

我正在考虑使用这样的正则表达式来检查注入攻击:

raise "possible injection attack" if url =~ /[\s']/ 

and if that check succeeds, then just invoke curl like so

如果该检查成功,那么只需调用curl

html = `curl '#{url}'`

Is this safe enough?

这样安全吗?

2 个解决方案

#1


2  

system("curl", url)

this is safe because parameters are directly passed to the main(argv) of the command rather than being parsed by a command line processor. For example system("echo", "* && echo shenanigan") literally outputs * && echo shenanigan.

这是安全的,因为参数直接传递给命令的main(argv),而不是由命令行处理器解析。例如系统(“echo”,“* && echo shenanigan”)字面上输出* && echo shenanigan。

#2


1  

Maybe you're better off using a library like libcurl (to avoid having to use shell commands) ?

也许你最好使用像libcurl这样的库(以避免使用shell命令)?

#1


2  

system("curl", url)

this is safe because parameters are directly passed to the main(argv) of the command rather than being parsed by a command line processor. For example system("echo", "* && echo shenanigan") literally outputs * && echo shenanigan.

这是安全的,因为参数直接传递给命令的main(argv),而不是由命令行处理器解析。例如系统(“echo”,“* && echo shenanigan”)字面上输出* && echo shenanigan。

#2


1  

Maybe you're better off using a library like libcurl (to avoid having to use shell commands) ?

也许你最好使用像libcurl这样的库(以避免使用shell命令)?