diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-26 06:09:17 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-11-26 06:09:17 +0300 |
commit | 846ebeb02e405ed42f8a45f34e941c70e3ca2ee3 (patch) | |
tree | 279a4c230e190a08428a1a575c09ef15113cb844 /doc/development/shell_commands.md | |
parent | 9331523ddc35cee6d42f73f31b1567478a4298c4 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/development/shell_commands.md')
-rw-r--r-- | doc/development/shell_commands.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/doc/development/shell_commands.md b/doc/development/shell_commands.md index 25113b4ac29..e9a50a2e27b 100644 --- a/doc/development/shell_commands.md +++ b/doc/development/shell_commands.md @@ -53,7 +53,7 @@ system(*%W(#{Gitlab.config.git.bin_path} branch -d -- #{branch_name})) ## Bypass the shell by splitting commands into separate tokens -When we pass shell commands as a single string to Ruby, Ruby will let `/bin/sh` evaluate the entire string. Essentially, we are asking the shell to evaluate a one-line script. This creates a risk for shell injection attacks. It is better to split the shell command into tokens ourselves. Sometimes we use the scripting capabilities of the shell to change the working directory or set environment variables. All of this can also be achieved securely straight from Ruby +When we pass shell commands as a single string to Ruby, Ruby lets `/bin/sh` evaluate the entire string. Essentially, we are asking the shell to evaluate a one-line script. This creates a risk for shell injection attacks. It is better to split the shell command into tokens ourselves. Sometimes we use the scripting capabilities of the shell to change the working directory or set environment variables. All of this can also be achieved securely straight from Ruby ```ruby # Wrong |