Looking for external program invocations

[Mark Hobley]

I have some open source software packages that were written in Ruby by a third
party that make use of external programs. For the purposes of security
auditing, and for making appropriate fixes, I need to locate all instances
within the code, where an external program is being called.

What keywords or functions would I need to locate?

I am thinking of using grep to simply search for the function names. Would
that be sufficient, or is it possible that function names are split across
several lines, making it possible for some instances to be missed during the
audit?

Mark.

 

[Marnen Laibow-Koser]

I have some open source software packages that were written in Ruby by a
third
party that make use of external programs. For the purposes of security
auditing, and for making appropriate fixes, I need to locate all
instances
within the code, where an external program is being called.

What keywords or functions would I need to locate?

I am thinking of using grep to simply search for the function names.
Would
that be sufficient, or is it possible that function names are split
across
several lines, making it possible for some instances to be missed during
the
audit?

If you're asking this question, then I'm sorry to say that you shouldn't
be doing this audit in the first place. To do an effective security
audit of a program written in Ruby, you must understand the language at
a reasonably advanced level. Hire an experienced Rubyist for this job.

Or, since these are open source programs, perhaps you should contact
their developers to discuss security concerns.

Mark.

Best,
-- 
Marnen Laibow-Koser
http://www.marnen.org
(e-mail address removed)

 

[Mark Hobley]

If you're asking this question, then I'm sorry to say that you shouldn't
be doing this audit in the first place. To do an effective security
audit of a program written in Ruby, you must understand the language at
a reasonably advanced level. Hire an experienced Rubyist for this job.

I haven't got the cash because I only work part time, so I need to do this
myself.

I am thinking that I can use grep to locate the code lines, and then reverse
engineer the code section, to find out where the command data comes from, and
whether or not it is from a secure source.

A quick google tells me that I need to look for backticks or a system command.

Does Ruby support all of the system calls by name? (For example do I also need
to look for exec and other system calls?).

Can commands avoid grep by being split using a line break?

Can macros be derived from strings and then subsequently used as a command
by using only the macro name?

Mark.

 

[Seebs]

I am thinking that I can use grep to locate the code lines, and then reverse
engineer the code section, to find out where the command data comes from, and
whether or not it is from a secure source.
Maybe.

A quick google tells me that I need to look for backticks or a system command.

Or %x.

Can commands avoid grep by being split using a line break?
Perhaps?

Can macros be derived from strings and then subsequently used as a command
by using only the macro name?

Something like that is certainly conceivable.

Okay, here's your problem: Imagine that there's some underlying dangerous
call:

foo("bar")

And you want to hide this. Okay. How about...

x = 'b'
x << a
x << r
y = 'f'
y << 'o'
y << y[1]
y << '('
y << 'x'
y << ')'
eval y

In short, the question is whether you are worried about intentional deception,
or just about carelessness. For carelessness, you probably don't need to
worry about split lines and so on, and a quick scan through the project for
places where commands might be run may do it.

-s

 

[Ryan Davis]

I have some open source software packages that were written in Ruby by = a third
party that make use of external programs. For the purposes of security
auditing, and for making appropriate fixes, I need to locate all = instances
within the code, where an external program is being called.
=20
What keywords or functions would I need to locate?

There are quite a number of them. Here are some of them:

`cmd` or %x"cmd" (arbitrary delimiters for %x)
system
IO.popen
File.open

You should also look at IO.fork, IO.pipe, anything using the Process =
class, and probably a lot of other stuff.

Look at "Spawning new processes" in Programming Ruby:

"The file-naming convention of many IO methods and Kernel.open will also =
spawn subprocesses if you put a | as the first character of the =
filename."

Make sure you realize the implications of what you're doing. As others =
have pointed out, to do a _real_ job of security audit, you need to know =
the language. If you're just doing a CYA, that's another story.

 

[Mark Hobley]

Look at "Spawning new processes" in Programming Ruby:

Blimey! That was a bit of luck! A section specifically on spawning new
processes. Thanks Ryan!.

I wonder if that is complete, or whether there are methods outside of this.
Anyway, that has given me a good starting point.

I wonder if there is any software that can be used to perform such audits on
Ruby code.

Mark.

 

[Marnen Laibow-Koser]

I haven't got the cash because I only work part time, so I need to do
this
myself.

OK. Since you can't spend money, you'll need to spend time learning
Ruby to at least an intermediate level. It's not simply a question of
looking for specific literal keywords.

Best,
-- 
Marnen Laibow-Koser
http://www.marnen.org
(e-mail address removed)