Fix Command Injection in Cuba

Command injection in Ruby-based frameworks like Cuba occurs when unsanitized user input is passed directly to shell execution methods like `system`, `exec`, or backticks. This allows an attacker to append arbitrary commands using shell metacharacters (e.g., `;`, `&&`, `|`). To mitigate this, developers must avoid shell interpolation and use APIs that treat arguments as literal strings rather than shell-interpreted commands.

The Vulnerable Pattern

require 'cuba'
Cuba.define do
on get do
on “lookup”, param(“hostname”) do |hostname|
# VULNERABLE: String interpolation into backticks allows command injection
# Example payload: ?hostname=google.com;cat /etc/passwd
result = nslookup #{hostname}
res.write result
end
end
end

The Secure Implementation

The vulnerable code uses backticks with string interpolation, which spawns a subshell and interprets the entire string. An attacker can break out of the intended command using shell operators. The secure implementation utilizes `Open3.capture3`, passing the command and its arguments as separate elements. This prevents the shell from parsing the input, ensuring the input is only processed as a parameter to the `nslookup` binary. Additionally, always validate input against an allowlist (e.g., regex for valid hostnames) for defense-in-depth.

require 'cuba'
require 'open3'
Cuba.define do
on get do
on “lookup”, param(“hostname”) do |hostname|
# SECURE: Using Open3.capture3 with separate arguments
# This bypasses the shell and treats ‘hostname’ as a single literal argument
stdout, stderr, status = Open3.capture3(“nslookup”, hostname)
  if status.success?
    res.write stdout
  else
    res.status = 400
    res.write "Error: #{stderr}"
  end
end
end
end