Command injection in video_converter ruby gem
7/20/2013
Larry W. Cashdollar
@_larry0

https://rubygems.org/gems/video_converter

These functions don't sanitize user supplied data before passing it to the shell.  If this gem is used in the context of a rails application for video processing commands could be executed remotely.


./video_converter/input.rb
9:    self.metadata_command = "%{bin} -i %{input} 2>&1"
10-
11-    attr_accessor :input, :outputs, :output_groups
--
38-    def metadata
39-      metadata = {}
40:      s = `#{Command.new self.class.metadata_command, common_params}`
41-      if (m = s.match(/Stream.*?Audio:\s*(\w+).*?(\d+)\s*Hz.*?(\d+)\s*kb\/s$/).to_a).any?
42-        metadata[:audio_codec] = m[1]
./video_converter/command.rb
9-    self.verbose = false
10-
11:    attr_accessor :command
12-
13:    def initialize command, params = {}
14:      res = command.clone
15-      params.each do |param, value|
16-        res.gsub! "%{#{param}}", value.to_s
17-      end
18:      self.command = res
19:      raise ArgumentError.new("Command is not parsed '#{self.command}'") if self.command.match(/%{[\w\-.]+}/)
20-    end
21-
22-    def execute params = {}
23:      puts command if params[:verbose] || self.class.verbose
24-      if params[:debug] || self.class.debug
25-        true
26-      else
27:        system command
28-      end
29-    end
30-
31-    def to_s
32:      command
33-    end
34-  end