Fix Command Injection in Roda

Command injection in Roda occurs when untrusted request parameters are passed directly into shell execution sinks like backticks, system(), or IO.popen without sanitization. In the Ruby ecosystem, this is a high-impact vulnerability that leads to full Remote Code Execution (RCE). To mitigate this, you must avoid shell interpolation and use parameter-passing execution methods.

The Vulnerable Pattern

class App < Roda
  route do |r|
    r.get "logs" do
      # DANGER: User input is interpolated directly into a shell string
      file_path = r.params['path']
      `cat /var/log/app/#{file_path}`
    end
  end
end

The Secure Implementation

The vulnerable code uses backticks with string interpolation. An attacker could send a payload like '?path=foo;+rm+-rf+/' to execute arbitrary commands. The secure version utilizes Open3.capture3 with separate arguments. By passing the command and its arguments as distinct array elements, Ruby bypasses the shell (/bin/sh) interpretation entirely, ensuring the input is treated strictly as data, not executable code. For maximum security, always prefer native Ruby File or IO methods over spawning subprocesses.

require 'open3'
class App < Roda
route do |r|
r.get “logs” do
file_path = r.params[‘path’]
  # FIX 1: Use array-based arguments to bypass the shell
  # This treats input as a literal string argument, not a command
  stdout, stderr, status = Open3.capture3("cat", "/var/log/app/#{file_path}")
  
  # FIX 2: Even better, use native Ruby File APIs instead of shell calls
  # File.read(File.join('/var/log/app', File.basename(file_path)))
  
  status.success? ? stdout : "Error accessing log"
end
end
end