I am running the brakeman gem over a project.. it's complaining about some exec commands that are being run.
Current code:
Process.fork {exec "pdftk #{uncrypted_pdf_file} output #{pdf_file} owner_pw #{password} allow printing"}
Brakeman complains suggesting there's a possibility for command injection. I have tried a few different combinations of calling exec for example:
Process.fork {exec "pdftk", uncrypted_pdf_file, " output #{pdf_file} ", "owner_pw #{password}", "allow printing"}
But as you'd expect, each argument just gets passed to pdftk in turn and so it falls over.
Is there a way to call a command in one shot and also protect against command injection. In our specific case it's safe enough anyway as we control all the variables, but it'd be good to know the right way.
You need to pass each argument separately:
exec "pdftk", uncrypted_pdf_file, "output", pdf_file, "owner_pw", password, "allow", "printing"
You may need to provide the full path to pdftk as well.