CRITICAL shellshockhanami

Shellshock in Hanami

Scan for shellshock in hanami

How Shellshock Manifests in Hanami

Shellshock, officially CVE-2014-6271, is a critical vulnerability in Bash that allows remote code execution through specially crafted environment variables. In Hanami applications, this manifests when user-controlled data flows into system calls, command execution, or environment variable handling without proper sanitization.

The most common Hanami-specific scenario involves controller actions that execute shell commands using Ruby's system, exec, or backtick operators with unsanitized parameters. Consider a Hanami controller that processes user input:

module Web::Controllers::Files
  class Upload
    include Web::Action

    def call(params)
      filename = params[:filename]
      system("ls -la #{filename}")
    end
  end
end

This creates a perfect Shellshock vector. An attacker could craft a filename like:

() { :;}; /bin/echo vulnerable

When Bash processes this environment variable, it executes the payload. In Hanami applications, this often appears in:

  • Before actions that set environment variables from params
  • File upload handlers that construct shell commands
  • Database migration scripts executed via shell
  • External API integrations using system calls

Hanami's convention-over-configuration approach can inadvertently create these vulnerabilities when developers use Ruby's shell execution methods without understanding Bash's parsing behavior.

Hanami-Specific Detection

Detecting Shellshock vulnerabilities in Hanami requires both static code analysis and runtime scanning. middleBrick's API security scanner includes specific checks for this vulnerability pattern:

npm install -g middlebrick
middlebrick scan https://your-hanami-app.com/api/v1/files

The scanner tests for Shellshock by sending specially crafted headers that exploit Bash's environment variable parsing. For Hanami applications specifically, middleBrick examines:

  • Controller actions that use system, exec, or backticks
  • Before actions that manipulate environment variables
  • File upload endpoints that construct shell commands
  • Any endpoints accepting file names or paths

Hanami's modular architecture means vulnerabilities can be isolated to specific slices. middleBrick's scanner analyzes each slice independently, providing targeted findings:

{
  "shellshock_vulnerability": {
    "severity": "critical",
    "location": "Web::Controllers::Files::Upload",
    "endpoint": "/api/v1/files",
    "affected_parameters": ["filename"],
    "remediation": "Use Ruby's Process.spawn with explicit arguments instead of system calls"
  }
}

For local development, you can use Hanami's built-in tools to identify risky patterns. Search your codebase for:

grep -r "system(" apps/ || grep -r "exec(" apps/ || grep -r "`.*`" apps/

Combine this with middleBrick's continuous monitoring to catch vulnerabilities introduced during development.

Hanami-Specific Remediation

Remediating Shellshock in Hanami applications requires eliminating unsafe shell command execution. The most effective approach uses Ruby's native features that avoid Bash interpretation entirely.

Replace unsafe system calls with Process.spawn:

module Web::Controllers::Files
  class Upload
    include Web::Action

    def call(params)
      filename = params[:filename]
      # Unsafe - vulnerable to Shellshock
      # system("ls -la #{filename}")

      # Safe - no shell interpretation
      Process.spawn("ls", "-la", filename)
    end
  end
end

For file operations, use Ruby's File class instead of shell commands:

module Web::Controllers::Files
  class Upload
    include Web::Action

    def call(params)
      filepath = params[:filepath]
      # Unsafe - could execute arbitrary commands
      # system("cat #{filepath}")

      # Safe - direct file operations
      if File.exist?(filepath)
        content = File.read(filepath)
        # process content
      end
    end
  end
end

Hanami's slice architecture helps contain vulnerabilities. Isolate external command execution to dedicated services:

# apps/web/lib/services/file_service.rb
module Services::FileService
  def self.list_directory(path)
    # Safe - no shell interpretation
    Dir.entries(path)
  end
end

# apps/web/lib/controllers/files/upload.rb
module Web::Controllers::Files
  class Upload
    include Web::Action

    def call(params)
      files = Services::FileService.list_directory(params[:path])
      # No shell commands, no Shellshock risk
    end
  end
end

For Hanami applications that must execute external commands, use the multi-argument form:

# Safe - arguments are passed separately
Open3.capture3("ls", "-la", sanitized_path)

# Also safe - explicit array
system(["ls", "-la", sanitized_path])

Integrate middleBrick into your Hanami development workflow to catch these issues early:

# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Run middleBrick Scan
      run: |
        npm install -g middlebrick
        middlebrick scan https://staging.your-hanami-app.com --fail-threshold=80

This ensures Shellshock and other critical vulnerabilities are caught before deployment.

Scan for shellshock in hanami Free API security scan

Frequently Asked Questions

Can Shellshock affect Hanami applications even if I don't use system calls?
Yes, Shellshock can affect Hanami applications through CGI scripts, FastCGI handlers, or any component that passes user input to Bash as environment variables. Even if your Ruby code doesn't use system calls, middleware or server configurations that invoke Bash with user-controlled data can be vulnerable. middleBrick's scanner tests for these indirect vectors by examining how your application handles environment variables and HTTP headers.
How does middleBrick's LLM security scanning relate to Shellshock vulnerabilities?
While Shellshock and LLM vulnerabilities are different attack classes, both involve code execution through unexpected input processing. middleBrick's LLM security checks include prompt injection testing that parallels Shellshock's approach of finding unexpected execution paths. The scanner tests for system prompt leakage and prompt injection in AI endpoints, using similar methodology to how it tests for Shellshock - by sending crafted inputs that attempt to bypass normal processing. Both checks are part of middleBrick's comprehensive 12-point security assessment.

Related Pages

Shellshock in Hanami on AwsUnderstand Shellshock in Hanami on AWS, with concrete AWS-specific fixes and real code examples to prevent command injecShellshock in Hanami on AzureUnderstand Shellshock in Hanami on Azure and apply concrete Azure-specific code fixes to secure your deployment.Shellshock in Hanami on DigitaloceanAnalyze Shellshock risks in Hanami on Digitalocean with actionable remediation and secure code examples.Shellshock in Hanami on CloudflareUnderstand Shellshock in Hanami behind Cloudflare and apply concrete fixes: avoid shell invocation, validate env vars, uPci Dss: Shellshock in HanamiExplore how PCI DSS requirements intersect with Shellshock in Hanami apps, and apply concrete Hanami code fixes to preveSoc2: Shellshock in HanamiExplore how SOC 2 controls intersect with Shellshock in Hanami apps, with concrete Ruby-safe code examples and remediatiIso 27001: Shellshock in HanamiExplore ISO 27001 mappings for Shellshock in Hanami apps, understand real vulnerabilities, and apply concrete code fixesCis: Shellshock in HanamiExplore Cis guidance on Shellshock in Hanami apps, with concrete Hanami code fixes to prevent command injection.Shellshock in Hanami with Mutual TlsExplore Shellshock risks in Hanami with Mutual TLS, and apply concrete Ruby-based remediation with secure mTLS code examShellshock in Hanami with Api KeysExplore Shellshock in Hanami with Api Keys: understand the risk and apply concrete remediation with safe code examples.Shellshock in Hanami with Bearer TokensExplore Shellshock in Hanami with Bearer Tokens, understand risks, and apply concrete remediation with secure code exampShellshock in Hanami with Hmac SignaturesExplore Shellshock risks in Hanami using Hmac Signatures, with secure Ruby examples and remediation guidance.