Yukang's Page

## Ruby的 open 函数导致命令执行

2018-02-12

#### 说明

If path starts with a pipe character, a subprocess is created, connected to the caller by a pair of pipes. The returned IO object may be used to write to the standard input and read from the standard output of this subprocess. If the command following the “|” is a single minus sign, Ruby forks, and this subprocess is connected to the parent. In the subprocess, the open call returns nil. If the command is not “-”, the subprocess runs the command. If a block is associated with an open(“|-”) call, that block will be run twice—once in the parent and once in the child. The block parameter will be an IO object in the parent and nil in the child. The parent’s IO object will be connected to the child’s stdin and stdout. The subprocess will be terminated at the end of the block.

#### 漏洞

https://github.com/ruby/ruby/pull/1777

Ruby 里面有几个 Open，这里有比较明晰的解释，Kernel.open 这个函数就是一个 wrapper，根据不同的情况做对应的处理。趟多了坑之后，才会觉得这样的特性其实是增加了程序员的负担，比如这个|特性可能有的人就没注意到，即使是看过文档也可能看到了老版本的文档，从而不知道这个边边角角。

https://github.com/OWASP/railsgoat这个项目里有各种 Rails漏洞，值得看看。