Class: Aikido::Zen::Scanners::ShellInjectionScanner

Inherits:

Object

• Object
• Aikido::Zen::Scanners::ShellInjectionScanner

Defined in:

lib/aikido/zen/scanners/shell_injection_scanner.rb

Class Method Summary

• .call(command:, sink:, context:, operation:) ⇒ Object
• .skips_on_nil_context? ⇒ Boolean

Instance Method Summary

• #attack? ⇒ Boolean
• #initialize(command, input) ⇒ ShellInjectionScanner constructor

  A new instance of ShellInjectionScanner.

Constructor Details

#initialize(command, input) ⇒ ShellInjectionScanner

Returns a new instance of ShellInjectionScanner.

Parameters:

• command (String)
• input (String)

# File 'lib/aikido/zen/scanners/shell_injection_scanner.rb', line 36

def initialize(command, input)
  @command = command
  @input = input
end

Class Method Details

.call(command:, sink:, context:, operation:) ⇒ Object

Parameters:

• command (String)
• sink (Aikido::Zen::Sink)
• context (Aikido::Zen::Context)
• operation (Symbol, String)

# File 'lib/aikido/zen/scanners/shell_injection_scanner.rb', line 17

def self.call(command:, sink:, context:, operation:)
  context.payloads.each do |payload|
    next unless new(command, payload.value.to_s).attack?

    return Attacks::ShellInjectionAttack.new(
      sink: sink,
      input: payload,
      command: command,
      context: context,
      operation: "#{sink.operation}.#{operation}",
      stack: Aikido::Zen.clean_stack_trace
    )
  end

  nil
end

.skips_on_nil_context? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/scanners/shell_injection_scanner.rb', line 8

def self.skips_on_nil_context?
  true
end

Instance Method Details

#attack? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/aikido/zen/scanners/shell_injection_scanner.rb', line 41

def attack?
  # Block single ~ character. For example `echo ~`
  if @input == "~"
    if @command.size > 1 && @command.include?("~")
      return true
    end
  end

  # we ignore single character since they don't pose a big threat.
  # They are only able to crash the shell, not execute arbitraty commands.
  return false if @input.size <= 1

  # We ignore cases where the user input is longer than the command because
  # the user input can't be part of the command
  return false if @input.size > @command.size

  return false unless @command.include?(@input)

  return false if ShellInjection::Helpers.is_safely_encapsulated @command, @input

  ShellInjection::Helpers.contains_shell_syntax @command, @input
end