Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.

There are many ways to run commands in Ruby:

`ls #{params[:file]}`

system("ls #{params[:dir]}")

exec("md5sum #{params[:input]}")

Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.

See the Ruby Security Guide for details.

Back to Warning Types