rails how to run system command from rails command securely - ruby-on-rails

I have an ActiveJob which triggers a system script to run:
`grunt custom-job --src=files --dest="file" --vars='#{user_input_vars_from_json}'`
Point being is that
user_input_vars_from_json
Is a json config which comes as user input parameter from a controller.
I do validate the json format but how can I ensure that there is no harmful code send to my system command?

I would just like to preface this with: Any user input should be treated as dangerous. I would not recommend executing any command using user-provided inputs.
The first thing you're going to want to do is lock down the input as much as possible. Consider restricting the length of the user_input_vars_from_json to prevent buffer overflow and DoS attacks. I also recommend trying to figure out a way to both validate and restrict the "vars" you are trying to set in the user_input_vars_from_json JSON to filter out any unwanted keys/values.
Once your input is cleaned, you can use Kernel#system in combination with Shellwords to get as close to safe as possible in executing your command from your job:
require 'shellwords'
system("grunt", "custom-job", "--src=files", '--dest="file"', "--vars=\"#{Shellwords.escape(user_input_vars_from_json)}\""

Related

Kristin PDF to HTML result into a variable

By using Kristin Gem, Is there any possible way to store the result of the conversion on a variable instead of outputting it as a file?
Assuming that the link below goes to the gem you are talking about, no. The gem is a very thin layer on top of pdf2htmlEX and simply spawns the process with the arguments passed. Further, pdf2htmlEX doesn't seem to support redirecting its output and adding this feature doesn't seem to be on their todo list, so adding this functionality would require wrapping a different converter.
I think your best bet would be to save load the HTML to a variable after creation.
Kristin:https://github.com/ricn/kristin
Thread about adding output redirection to pdf2htmlEX: https://github.com/coolwanglu/pdf2htmlEX/issues/638

Zabbix LLD Value should be a JSON object

Alright! Following is the scenario with respective queries:
1) I am using a bash script to generate JSON object for status of custom processes.
2) Providing the bash inside zabbix_agentd.conf file:
UserParameter=service.check[*],/usr/lib/zabbix/externalscripts/service_check.bash
I want to provide the process names as parameters to the bash file here in UserParameter, how do I do that?
3) Restarting the zabbix-agent and checking with zabbix-get yields an empty JSON (because we have not given any process names):
{
"data":[
]
}
4) If I provide a process name into UserParameter as:
UserParameter=service.check[*],/usr/lib/zabbix/externalscripts/service_check.bash apache2 ntp cron
It yields the following:
{
"data":[
which I know is wrong, since I need to pass the process names in a different way. I tried passing them inside the bash script and even then it generates an invalid json as above.
5) The JSON generated will be taken care by the Zabbix discovery rule of type "Zabbix agent", where it will create different items out of process names. Following is the JSON that my script should send:
{"data":[{"{#NAME}":"apache2","{#STATUS}":"RUNNING","{#VALUE}":"1"},{"{#NAME}":"ntp","{#STATUS}":"RUNNING","{#VALUE}":"1"},{"{#NAME}":"cron","{#STATUS}":"STOPPED","{#VALUE}":"0"}]}
I could have used zabbix-sender for the same, but it would need me to run the sender for every key-value that I need to send. Also, this way I have to be concerned with manipulating data at one place only, and the rest will be taken care of.
Hope this is clear enough and explains my situation.

Machine parseable error messages

(From https://groups.google.com/d/msg/bazel-discuss/cIBIP-Oyzzw/caesbhdEAAAJ)
What is the recommended way for rules to export information about failures such that downstream tools can include them in UIs.
Example use case:
I ran bazel test //my:target, and one of the actions for //my:target fails because there is an unknown variable "usrname" in my/target.foo at line 7 column 10. It would also like to report that "username" is a valid variable and this is a possible misspelling. And thus wants to suggest an addition of an "e" character.
One way I have thought to do this is to have a separate file that my action produces //my:target.errors that is in a separate output group and have it write machine parseable data there in addition to human readable data on stdout.
I can then find all of these files and parse the data in them in downstream tools.
Is there any prior work on this, or does everything just try to parse the human readable output?
I recommend running the error checkers as extra actions.
I don't think Bazel currently has hooks for custom error handlers like you describe. Please consider opening a feature request: https://github.com/bazelbuild/bazel/issues/new

How to read a user input in a text filed in ruby on rails and pass the value to a shell script command

I am very new to ruby on rails and I have a very simple question.
I am able to read the user input from a text field in ruby on rails
#user = params[:user]
I have to pass this value as an argument to a shell script
I tried a number of things, but nothing works
run_command "./file.sh #{#user}"
and
%x(./file.sh #{#user})
The script receives "{user="
Any help is appreciated!
First, make sure you escape any parameters you pass to command line. You may be easily attacked via command line injection this way. Try this instead:
system "/path/to/file.sh #{#user.shellescape}"
You may also want to try exec, depending on how you want to track output. Please see http://ruby-doc.org/core-2.3.0/Kernel.html for more details on both

Ant exec task: How can I read input from console stdin?

I have a call to Ant exec task that needs to accept input from console stdin. Unfortunately, I cannot find a way to do this. The stdin filehandle seems closed to console input at runtime.
It is possible to specify input using attributes input and inputstring. However, I need to prompt for user input at the console.
How can I do this?
From the documentation of the task:
Note that you cannot interact with the
forked program, the only way to send
input to it is via the input and
inputstring attributes. Also note that
since Ant 1.6, any attempt to read
input in the forked program will
receive an EOF (-1). This is a change
from Ant 1.5, where such an attempt
would block.
You could try to use the input-task to prompt for input in the ant-buildfile and pass these input with the inputstring-attribute of exec. I can't think of a better option at the moment.

Resources