Fix Command Injection in Camping
Camping's minimalism often leads to developers taking shortcuts with system calls. Command injection occurs when untrusted input is interpolated directly into shell-executing methods like backticks, system(), or IO.popen. To secure the app, you must avoid shell interpolation and use array-based argument passing.
The Vulnerable Pattern
module Blog::Controllers
class Search < R '/search'
def get
# DANGER: User input is directly interpolated into a shell command
@results = `grep #{input.query} ./logs.txt`
render :results
end
end
endThe Secure Implementation
The vulnerable example uses backticks with string interpolation, allowing an attacker to inject shell metacharacters (e.g., query='; rm -rf /'). The secure version implements two layers of defense: first, a regex-based allowlist to ensure the input contains only safe characters; second, it uses Open3.capture3 (or system/exec with multiple arguments) which passes arguments directly to the execve() syscall, bypassing the shell interpreter entirely and rendering command injection impossible.
require 'open3'module Blog::Controllers class Search < R ‘/search’ def get query = input.query.to_s
# VALIDATION: Strict allowlist for input characters halt 400, "Invalid Query" unless query =~ /\A[a-zA-Z0-9\s]+\z/ # SECURE: Using Open3.capture3 with separate arguments bypasses the shell stdout, stderr, status = Open3.capture3('grep', query, './logs.txt') @results = status.success? ? stdout : "No results found." render :results end
end end
Your Camping API
might be exposed to Command Injection
74% of Camping apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.