Linux server1.dn-server.com 4.18.0-553.89.1.lve.el8.x86_64 #1 SMP Wed Dec 10 13:58:50 UTC 2025 x86_64
LiteSpeed
Server IP : 195.201.204.189 & Your IP : 216.73.216.198
Domains :
Cant Read [ /etc/named.conf ]
User : beriska1
Terminal
Auto Root
Create File
Create Folder
Localroot Suggester
Backdoor Destroyer
Readme
/
opt /
alt /
ruby32 /
share /
ri /
system /
Delete
Unzip
Name
Size
Permission
Date
Action
ACL
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ARGF
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Abbrev
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Addrinfo
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ArgumentError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Array
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Base64
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
BasicObject
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
BasicSocket
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Benchmark
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
BigDecimal
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
BigMath
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Binding
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Bundler
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
CGI
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
CSV
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Class
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ClosedQueueError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Comparable
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Complex
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Continuation
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
CoreExtensions
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Coverage
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
DRb
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Data
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Date
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
DateTime
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Delegator
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
DidYouMean
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Digest
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Dir
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ENV
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
EOFError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ERB
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Encoding
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
EncodingError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
English
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Enumerable
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Enumerator
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Errno
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ErrorHighlight
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Etc
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Exception
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
FalseClass
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Fcntl
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Fiber
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
FiberError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Fiddle
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
File
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
FileTest
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
FileUtils
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Find
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Float
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
FloatDomainError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Forwardable
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
FrozenError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
GC
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Gem
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
GetoptLong
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Hash
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
IO
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
IOError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
IPAddr
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
IPSocket
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
IRB
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
IndexError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Integer
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Interrupt
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
JSON
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Jacobian
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Kconv
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Kernel
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
KeyError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
LUSolve
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
LoadError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
LocalJumpError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Logger
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
MakeMakefile
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Marshal
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
MatchData
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Math
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Method
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Module
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Monitor
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
MonitorMixin
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Mutex_m
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NEWS
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NKF
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NameError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Net
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Newton
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NilClass
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NoMatchingPatternError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NoMatchingPatternKeyError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NoMemoryError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NoMethodError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
NotImplementedError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Numeric
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
OLEProperty
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Object
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ObjectSpace
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Observable
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Open3
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
OpenSSL
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
OpenStruct
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
OpenURI
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
OptionParser
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
PP
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
PStore
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
PTY
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Pathname
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
PrettyPrint
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Proc
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Process
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Psych
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
RDoc
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Racc
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Ractor
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Rake
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Random
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Range
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
RangeError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Rational
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
RbConfig
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Readline
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Refinement
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Regexp
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
RegexpError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Reline
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Resolv
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Rinda
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Ripper
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
RubyLex
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
RubyVM
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
RuntimeError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SOCKSSocket
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ScriptError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SecureRandom
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SecurityError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Set
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Shellwords
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Signal
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SignalException
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SimpleDelegator
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SingleForwardable
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Singleton
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Socket
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SocketError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
StandardError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
StopIteration
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
String
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
StringIO
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
StringScanner
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Struct
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Symbol
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SyntaxError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SyntaxSuggest
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Syslog
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SystemCallError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SystemExit
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
SystemStackError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
TCPServer
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
TCPSocket
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
TSort
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Tempfile
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Thread
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ThreadError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ThreadGroup
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Time
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Timeout
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
TracePoint
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
TrueClass
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
TypeError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
UDPSocket
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
UNIXServer
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
UNIXSocket
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
URI
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
UnboundMethod
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
UncaughtThrowError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
UnicodeNormalize
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
WIN32OLE
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
WIN32OLEQueryInterfaceError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
WIN32OLERuntimeError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Warning
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
WeakRef
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Win32
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
XMP
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
YAML
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
ZeroDivisionError
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
Zlib
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
contributing
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
fatal
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
optparse
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
syntax
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
win32
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
yjit
[ DIR ]
drwxr-xr-x
2026-05-05 23:08
cache.ri
307.54
KB
-rw-r--r--
2026-04-07 17:42
page-COPYING.ri
3.06
KB
-rw-r--r--
2026-04-07 17:42
page-COPYING_ja.ri
3.16
KB
-rw-r--r--
2026-04-07 17:42
page-LEGAL.ri
50.64
KB
-rw-r--r--
2026-04-07 17:42
page-NEWS_md.ri
36.04
KB
-rw-r--r--
2026-04-07 17:42
page-README_ja_md.ri
10.87
KB
-rw-r--r--
2026-04-07 17:42
page-README_md.ri
4.29
KB
-rw-r--r--
2026-04-07 17:42
page-bsearch_rdoc.ri
5.51
KB
-rw-r--r--
2026-04-07 17:42
page-bug_triaging_rdoc.ri
4.83
KB
-rw-r--r--
2026-04-07 17:42
page-case_mapping_rdoc.ri
4.56
KB
-rw-r--r--
2026-04-07 17:42
page-character_selectors_rdoc.ri
4.59
KB
-rw-r--r--
2026-04-07 17:42
page-command_injection_rdoc.ri
1.45
KB
-rw-r--r--
2026-04-07 17:42
page-contributing_md.ri
1.43
KB
-rw-r--r--
2026-04-07 17:42
page-dig_methods_rdoc.ri
3.66
KB
-rw-r--r--
2026-04-07 17:42
page-dtrace_probes_rdoc.ri
9.92
KB
-rw-r--r--
2026-04-07 17:42
page-encodings_rdoc.ri
20.65
KB
-rw-r--r--
2026-04-07 17:42
page-extension_ja_rdoc.ri
86.74
KB
-rw-r--r--
2026-04-07 17:42
page-extension_rdoc.ri
88.83
KB
-rw-r--r--
2026-04-07 17:42
page-fiber_md.ri
7.55
KB
-rw-r--r--
2026-04-07 17:42
page-format_specifications_rdoc.ri
12.87
KB
-rw-r--r--
2026-04-07 17:42
page-globals_rdoc.ri
5.82
KB
-rw-r--r--
2026-04-07 17:42
page-implicit_conversion_rdoc.ri
7.79
KB
-rw-r--r--
2026-04-07 17:42
page-keywords_rdoc.ri
6.29
KB
-rw-r--r--
2026-04-07 17:42
page-maintainers_rdoc.ri
15.54
KB
-rw-r--r--
2026-04-07 17:42
page-marshal_rdoc.ri
14.17
KB
-rw-r--r--
2026-04-07 17:42
page-memory_view_md.ri
8.85
KB
-rw-r--r--
2026-04-07 17:42
page-packed_data_rdoc.ri
22.57
KB
-rw-r--r--
2026-04-07 17:42
page-ractor_md.ri
31.63
KB
-rw-r--r--
2026-04-07 17:42
page-regexp_rdoc.ri
38.79
KB
-rw-r--r--
2026-04-07 17:42
page-security_rdoc.ri
7.09
KB
-rw-r--r--
2026-04-07 17:42
page-signals_rdoc.ri
4.96
KB
-rw-r--r--
2026-04-07 17:42
page-standard_library_rdoc.ri
9.15
KB
-rw-r--r--
2026-04-07 17:42
page-strftime_formatting_rdoc.ri
20.92
KB
-rw-r--r--
2026-04-07 17:42
page-syntax_rdoc.ri
1.88
KB
-rw-r--r--
2026-04-07 17:42
page-timezones_rdoc.ri
5.14
KB
-rw-r--r--
2026-04-07 17:42
Save
Rename
U:RDoc::TopLevel[ i I"security.rdoc:ETcRDoc::Parser::Simpleo:RDoc::Markup::Document:@parts[SS:RDoc::Markup::Heading: leveli: textI"Ruby Security;To:RDoc::Markup::BlankLine o:RDoc::Markup::Paragraph;[I"TThe Ruby programming language is large and complex and there are many security ;TI"Lpitfalls often encountered by newcomers and experienced Rubyists alike.;T@ o; ;[I"RThis document aims to discuss many of these pitfalls and provide more secure ;TI"#alternatives where applicable.;T@ o; ;[I"UPlease check the full list of publicly known CVEs and how to correctly report a ;TI"Hsecurity vulnerability, at: https://www.ruby-lang.org/en/security/ ;TI"EJapanese version is here: https://www.ruby-lang.org/ja/security/;T@ o; ;[ I"ASecurity vulnerabilities should be reported via an email to ;TI"4mailto:security@ruby-lang.org ({the PGP public ;TI"Ukey}[https://www.ruby-lang.org/security.asc]), which is a private mailing list. ;TI"5Reported problems will be published after fixes.;T@ S; ; i;I"+Marshal.load+;T@ o; ;[I"URuby's +Marshal+ module provides methods for serializing and deserializing Ruby ;TI"3object trees to and from a binary data format.;T@ o; ;[ I"NNever use +Marshal.load+ to deserialize untrusted or user supplied data. ;TI"NBecause +Marshal+ can deserialize to almost any Ruby object and has full ;TI"Rcontrol over instance variables, it is possible to craft a malicious payload ;TI"6that executes code shortly after deserialization.;T@ o; ;[ I"RIf you need to deserialize untrusted data, you should use JSON as it is only ;TI"Ucapable of returning 'primitive' types such as strings, arrays, hashes, numbers ;TI"Oand nil. If you need to deserialize other classes, you should handle this ;TI";manually. Never deserialize to a user specified class.;T@ S; ; i;I" YAML;T@ o; ;[I"RYAML is a popular human readable data serialization format used by many Ruby ;TI"Nprograms for configuration and database persistence of Ruby object trees.;T@ o; ;[I"RSimilar to +Marshal+, it is able to deserialize into arbitrary Ruby classes. ;TI"KFor example, the following YAML data will create an +ERB+ object when ;TI"deserialized:;T@ o:RDoc::Markup::Verbatim;[I"!ruby/object:ERB ;TI"src: puts `uname` ;T:@format0o; ;[I"RBecause of this, many of the security considerations applying to Marshal are ;TI"Lalso applicable to YAML. Do not use YAML to deserialize untrusted data.;T@ S; ; i;I"Symbols;T@ o; ;[ I"USymbols are often seen as syntax sugar for simple strings, but they play a much ;TI"Pmore crucial role. The MRI Ruby implementation uses Symbols internally for ;TI"Rmethod, variable and constant names. The reason for this is that symbols are ;TI"Ssimply integers with names attached to them, so they are faster to look up in ;TI"hashtables.;T@ o; ;[I"OStarting in version 2.2, most symbols can be garbage collected; these are ;TI"Lcalled <i>mortal</i> symbols. Most symbols you create (e.g. by calling ;TI"+to_sym+) are mortal.;T@ o; ;[I"P<i>Immortal</i> symbols on the other hand will never be garbage collected. ;TI"*They are created when modifying code:;To:RDoc::Markup::List: @type:BULLET:@items[o:RDoc::Markup::ListItem:@label0;[o; ;[I"3defining a method (e.g. with +define_method+),;To;;0;[o; ;[I"Fsetting an instance variable (e.g. with +instance_variable_set+),;To;;0;[o; ;[I"<creating a variable or constant (e.g. with +const_set+);To; ;[ I"LC extensions that have not been updated and are still calling `SYM2ID` ;TI"#will create immortal symbols. ;TI"IBugs in 2.2.0: +send+ and +__send__+ also created immortal symbols, ;TI"Gand calling methods with keyword arguments could also create some.;T@ o; ;[ I"KDon't create immortal symbols from user inputs. Otherwise, this would ;TI"Rallow a user to mount a denial of service attack against your application by ;TI"Sflooding it with unique strings, which will cause memory to grow indefinitely ;TI"Muntil the Ruby process is killed or causes the system to slow to a halt.;T@ o; ;[I"TWhile it might not be a good idea to call these with user inputs, methods that ;TI"<used to be vulnerable such as +to_sym+, +respond_to?+, ;TI"Q+method+, +instance_variable_get+, +const_get+, etc. are no longer a threat.;T@ S; ; i;I"Regular expressions;T@ o; ;[ I"RRuby's regular expression syntax has some minor differences when compared to ;TI"Tother languages. In Ruby, the <code>^</code> and <code>$</code> anchors do not ;TI"Urefer to the beginning and end of the string, rather the beginning and end of a ;TI"*line*.;T@ o; ;[ I"?This means that if you're using a regular expression like ;TI"S<code>/^[a-z]+$/</code> to restrict a string to only letters, an attacker can ;TI"Ubypass this check by passing a string containing a letter, then a newline, then ;TI""any string of their choosing.;T@ o; ;[I"RIf you want to match the beginning and end of the entire string in Ruby, use ;TI"the anchors +\A+ and +\z+.;T@ S; ; i;I"+eval+;T@ o; ;[I"=Never pass untrusted or user controlled input to +eval+.;T@ o; ;[ I"NUnless you are implementing a REPL like +irb+ or +pry+, +eval+ is almost ;TI"Ucertainly not what you want. Do not attempt to filter user input before passing ;TI"Sit to +eval+ - this approach is fraught with danger and will most likely open ;TI"Jyour application up to a serious remote code execution vulnerability.;T@ S; ; i;I"+send+;T@ o; ;[I"U'Global functions' in Ruby (+puts+, +exit+, etc.) are actually private instance ;TI"Qmethods on +Object+. This means it is possible to invoke these methods with ;TI"A+send+, even if the call to +send+ has an explicit receiver.;T@ o; ;[I"RFor example, the following code snippet writes "Hello world" to the terminal:;T@ o;;[I""1.send(:puts, "Hello world") ;T;0o; ;[I"SYou should never call +send+ with user supplied input as the first parameter. ;TI">Doing so can introduce a denial of service vulnerability:;T@ o;;[I"6foo.send(params[:bar]) # params[:bar] is "exit!" ;T;0o; ;[I"OIf an attacker can control the first two arguments to +send+, remote code ;TI"execution is possible:;T@ o;;[I"J# params is { :a => "eval", :b => "...ruby code to be executed..." } ;TI"&foo.send(params[:a], params[:b]) ;T;0o; ;[I"SWhen dispatching a method call based on user input, carefully verify that the ;TI"Qmethod name. If possible, check it against a whitelist of safe method names.;T@ o; ;[I"ONote that the use of +public_send+ is also dangerous, as +send+ itself is ;TI"public:;T@ o;;[I"E1.public_send("send", "eval", "...ruby code to be executed...") ;T;0S; ; i;I"DRb;T@ o; ;[I"UAs DRb allows remote clients to invoke arbitrary methods, it is not suitable to ;TI"!expose to untrusted clients.;T@ o; ;[I"TWhen using DRb, try to avoid exposing it over the network if possible. If this ;TI"Uisn't possible and you need to expose DRb to the world, you *must* configure an ;TI"<appropriate security policy with <code>DRb::ACL</code>.;T: @file@:0@omit_headings_from_table_of_contents_below0