From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 22 Apr 2020 11:22:30 +0000 (+0200)
Subject: Use Open3.capture2 instead of backticks, to avoid command line injection risks
X-Git-Tag: live~2695^2
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/35db86714bb173b571813e49ed31afbd08c46cd0

Use Open3.capture2 instead of backticks, to avoid command line injection risks

In this situation, trace_name can be trivially checked as legitimate, but this
removes any lingering risks from interpolating into a command line instead of
passing parameters explicitly.

Refs #2229
---

diff --git a/app/models/trace.rb b/app/models/trace.rb
index d500784af..959d82e1c 100644
--- a/app/models/trace.rb
+++ b/app/models/trace.rb
@@ -117,7 +117,7 @@ class Trace < ApplicationRecord
   end
 
   def mime_type
-    filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
+    filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
     gzipped = filetype =~ /gzip compressed/
     bzipped = filetype =~ /bzip2 compressed/
     zipped = filetype =~ /Zip archive/
@@ -139,7 +139,7 @@ class Trace < ApplicationRecord
   end
 
   def extension_name
-    filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
+    filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
     gzipped = filetype =~ /gzip compressed/
     bzipped = filetype =~ /bzip2 compressed/
     zipped = filetype =~ /Zip archive/
@@ -208,8 +208,7 @@ class Trace < ApplicationRecord
   end
 
   def xml_file
-    # TODO: *nix specific, could do to work on windows... would be functionally inferior though - check for '.gz'
-    filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
+    filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
     gzipped = filetype =~ /gzip compressed/
     bzipped = filetype =~ /bzip2 compressed/
     zipped = filetype =~ /Zip archive/