Ruby escape ARGV argument or string as argument to shell command
Use require 'shellwords'
and Shellwords.escape
, which will fix this sort of stuff for you:
Stay away from building shell strings
This is a fine vector for arbitrary code execution.
In this case, you could use popen
, which does the escaping for you, e.g.:
#!/usr/bin/env rubyIO.popen(['printf', 'a b']) do |f| puts f.readend
This outputs:
a b
just as if we had run on the terminal:
/usr/bin/printf 'a b'
If a b
hadn't been escaped, we wouldn't get a b
as expected, because running an unquoted:
/usr/bin/printf a b
in the terminal gives:
a/usr/bin/printf: warning: ignoring excess arguments, starting with ‘b’
Tested in Ubuntu 20.02, Ruby 2.6.