-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Description
There is the top-level method `() which captures the output of a string command executed in a subshell. The string literal fully supports interpolation, thus it could easily lead to command injection when interpolating user input.
I've just written a docs chapter about this (crystal-lang/crystal-book#304).
In order to avoid command injection, arguments need to be properly escaped. Process.new and Process.run allow this, but require a few lines of code in order to implement a save equivalent to a simple backticks command.
There is also the top-level method system which offers safe arguments, but doesn't capture the output. Instead, it is forwarded to STDOUT directly.
There should be method to provide a safe & easy to use alternative for capturing subshell output with the same arguments as system() (plus maybe an additional a shell argument) but the behaviour and return type of `().
This could be implemented by adding an optional args argument to `(), but I don't think that's a good idea because it makes it hard to distinguish the safe operation of this method.