Imagine I have the following rails endpoint:
def configure_welcome_message
ENV['myapp_welcome_message'] = params[:welcome_message]
end
Aside from the fact that this is an inane way to set a welcome message, is there anything inherently insecure about exposing a custom environment variable to an unsanitized parameter?
In this case it's not a path to an executable, or even an 'important' variable, it's just a string that maybe gets displayed somewhere. Can a knowledgeable person leverage this endpoint for some kind of remote shell access, or to further modify the ENV beyond the variable I am explicitly setting? Or any other security implications?
Note: I recognize you could set the 'welcome message' to something misleading to users, but I'm talking about back-end security.