mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
14 lines
414 B
Ruby
14 lines
414 B
Ruby
# Phase 21 (Track M.3) — Rails ActionCable channel vuln fixture.
|
|
#
|
|
# `ChatChannel#receive(data)` splices the inbound WebSocket message
|
|
# bytes into a shell command via Kernel#system — classic ActionCable
|
|
# → cmdi shape.
|
|
|
|
# class ChatChannel < ApplicationCable::Channel
|
|
|
|
class ChatChannel
|
|
def receive(data)
|
|
# SINK: tainted data concatenated into shell command.
|
|
system("echo " + data.to_s)
|
|
end
|
|
end
|