Re: Looking for external program invocations

< ^ > P N |<>|^_>< --- | ~ ...Help
Marnen Laibow-Koser <marnen / marnen.org> wrote:
> If you're asking this question, then I'm sorry to say that you shouldn't 
> be doing this audit in the first place.  To do an effective security 
> audit of a program written in Ruby, you must understand the language at 
> a reasonably advanced level.  Hire an experienced Rubyist for this job.

I haven't got the cash because I only work part time, so I need to do this
myself.

I am thinking that I can use grep to locate the code lines, and then reverse
engineer the code section, to find out where the command data comes from, and
whether or not it is from a secure source.

A quick google tells me that I need to look for backticks or a system command.

Does Ruby support all of the system calls by name? (For example do I also need
to look for exec and other system calls?).

Can commands avoid grep by being split using a line break?

Can macros be derived from strings and then subsequently used as a command
by using only the macro name?

Mark.

-- 
Mark Hobley
Linux User: #370818  http://markhobley.yi.org/