Avoid Tainted FTP Call
Description
The application was found calling the Net::FTP modules methods with user supplied input. A malicious actor could use this to modify or access files they should not have access to. Directly incorporating user-controlled input from `params`, `cookies`, or `request.env` into FTP commands or connection setups can lead to various security vulnerabilities, including Remote Code Execution (RCE), unauthorized file access, and data exfiltration.
Examples
Insecure Code
Net::FTP.open('example.com', 'user', 'password') do |ftp| ftp.getbinaryfile(params[:filename], "local_#{params[:filename]}", 1024) endSecure Code
filename = params[:filename]; raise "Invalid filename" unless filename =~ /\A[\w]+\.\w+\z/; Net::FTP.open('example.com', 'user', 'password') do |ftp| ftp.getbinaryfile(filename, "local_#{filename}", 1024) endRemediation
Validate and sanitize user-provided input before being used in FTP operations. Verify the format and content of the input to ensure it meets expected criteria. Use allowlists to restrict the input to known safe values. Employ built-in security features of the programming language or framework to escape or safely handle user input.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0536 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-76 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | ftp, injection, tainted input |
| OWASP | A1:2017-Injection, A03:2021-Injection |