How do I sanitize shell command and get the output in Ruby?

Question

I have to run some shell commands where the user gives the input. I found one way which seemed secure: system *%W(ls #{file}) [here].

I need to get the output of that command, so I cant just use system. Is there a way to sanitize the command for backticks `` or for %x[]?

score 3 · Accepted Answer · answered Mar 20 '11 at 13:27

3

You want IO::popen instead of system. You can still pass an array of strings to invoke the command without a shell, and you can read from the resulting IO object.

If you want to read stderr too, then use the open3 module instead of IO.

answered Mar 20 '11 at 13:27

glenn jackman

238,783
38
220
352

IO::popen(*%W[ls -al]).read gives me "ArgumentError: illegal access mode -al" :( but without '-al' it works... – klump Mar 20 '11 at 13:42
@klump, remove the `*` so that the first argument to popen is an array. – glenn jackman Mar 20 '11 at 16:11
4

Note that calling `popen` with an array works in 1.9 only. In ruby 1.8 you'd need to use popen3 or backticks + `Shellwords.escape`. – sepp2k Mar 20 '11 at 17:37
@sepp2k: Does backports cover this? – Andrew Grimm Mar 20 '11 at 22:30

score 0 · Answer 2 · edited Mar 20 '11 at 22:31

0

What kind of shell commands are you running that Ruby cannot support? If you are listing files, use Dir

edited Mar 20 '11 at 22:31

Andrew Grimm

78,473
57
200
338

answered Mar 20 '11 at 13:09

kurumi

25,121
5
44
52

i was using ls just as an exsample, i want to use a mix of selfwritten programms and unix programms, i am using the ruby File, Dir and FileUtils classes :P – klump Mar 20 '11 at 13:15

How do I sanitize shell command and get the output in Ruby?

2 Answers2