Shellshock in Hanami with Bearer Tokens

Shellshock (CVE-2014-6271 and related variants) is a command injection vulnerability in the Bash shell that arises when function exports are passed to subprocesses without proper sanitization. Hanami, a Ruby web framework, can be impacted when environment variables or CGI-style parameters are used to construct shell commands, particularly in scenarios involving authentication tokens such as Bearer Tokens. If a Hanami application reads a Bearer Token from an environment variable or request header and passes it to a system call, eval, or backtick execution, an attacker may be able to inject malicious commands by crafting a token containing Bash special characters.

In a typical Hanami setup, Bearer Tokens are often extracted from the Authorization header (e.g., Authorization: Bearer ) and used for API authentication or to validate requests. If the application logs, processes, or forwards these tokens to a subprocess — for example, to call an external command for token introspection or revocation — and the token value is not strictly validated or escaped, Shellshock can be triggered. This risk is heightened when the token contains strings like () { :; };, which Bash interprets as function definitions followed by arbitrary commands. Because middleBrick scans the unauthenticated attack surface, it can detect endpoints that accept Bearer Tokens and subsequently invoke shell commands, highlighting the exposure even when authentication is not required to reach the vulnerable code path.

With OpenAPI/Swagger spec analysis, middleBrick cross-references spec definitions containing securitySchemes of type http with bearerFormat bearer against runtime behavior. If a spec declares Bearer Token usage but runtime calls invoke shell commands with unsanitized input, the scan correlates the mismatch and flags it as a high-severity finding. This is particularly relevant for endpoints that accept tokens in headers and then interact with system utilities. The scan also checks for patterns such as unchecked input validation, improper error handling, and missing rate limiting, which can amplify the impact of Shellshock in this context. By testing active prompt injection and output scanning, middleBrick ensures that any leakage of sensitive data through misused tokens or injected commands is identified, even in unauthenticated scans.

To remediate Shellshock risks related to Bearer Tokens in Hanami, avoid passing raw token values to shell commands. If external command execution is necessary, use language-native abstractions that do not invoke Bash, or rigorously validate and sanitize all inputs. Below are concrete code examples demonstrating secure handling of Bearer Tokens in Hanami controllers.

Example 1: Safe token validation without shell execution

Instead of invoking shell commands to validate a token, perform checks within Ruby. This eliminates Bash involvement entirely.

module Api::V1
  class ResourcesController < Hanami::Controller
    def show
      auth_header = request.env['HTTP_AUTHORIZATION']
      if auth_header&.start_with?('Bearer ')
        token = auth_header.split(' ').last
        if valid_token?(token)
          # proceed with business logic
          render json: { status: 'ok' }
        else
          render json: { error: 'Unauthorized' }, status: 401
        end
      else
        render json: { error: 'Missing authorization header' }, status: 400
      end
    end

    private

    def valid_token?(token)
      # Use secure comparison and avoid shell interaction
      token == ENV.fetch('EXPECTED_BEARER_TOKEN', '')
    end
  end
end

Example 2: Avoiding backticks and system calls with token data

If you must call external utilities, pass token data through safe interfaces that do not invoke Bash, or use Hanami's built-in HTTP clients instead of shelling out.

# Unsafe: potential Shellshock vector
# token = request.env['HTTP_AUTHORIZATION']>.split(' ').last
# `curl -H "Authorization: Bearer #{token}" https://api.example.com/introspect`

# Safe: use Hanami's HTTP client or Ruby's Net::HTTP
require 'net/http'
require 'uri'

module Api::V1
  class IntrospectController < Hanami::Controller
    def introspect
      auth_header = request.env['HTTP_AUTHORIZATION']
      if auth_header&.start_with?('Bearer ')
        token = auth_header.split(' ').last
        uri = URI('https://auth.example.com/introspect')
        http = Net::HTTP.new(uri.host, uri.port)
        request = Net::HTTP::Get.new(uri.path)
        request['Authorization'] = "Bearer #{token}"
        response = http.request(request)
        render json: JSON.parse(response.body)
      else
        render json: { error: 'Missing token' }, status: 400
      end
    end
  end
end

General secure practices

• Never construct shell commands with token values or any user-influenced data.
• Use environment variables for configuration, but treat their contents as untrusted if they originate from external sources.
• Apply strict input validation and prefer allowlists for acceptable token formats.
• If using middleware or background jobs that may invoke shell commands, ensure token handling is isolated from subprocess invocation.

By following these patterns, Hanami applications can avoid the intersection of Bearer Token handling and Bash that enables Shellshock. middleBrick supports this posture by scanning for authentication mechanisms, input validation gaps, and risky subprocess usage, providing prioritized findings with remediation guidance mapped to frameworks such as OWASP API Top 10.