From: Tom Hughes Date: Mon, 27 Jul 2020 18:11:03 +0000 (+0100) Subject: Fix the Command Injection warnings from Brakeman X-Git-Tag: live~2604 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/6c159b96734f81efc24f2c1410cd979b5c272819 Fix the Command Injection warnings from Brakeman --- diff --git a/app/models/trace.rb b/app/models/trace.rb index 97800a868..93486f9ed 100644 --- a/app/models/trace.rb +++ b/app/models/trace.rb @@ -220,17 +220,17 @@ class Trace < ApplicationRecord file = Tempfile.new("trace.#{id}") if tarred && gzipped - system("tar -zxOf #{trace_name} > #{file.path}") + system("tar", "-zxOf", trace_name, :out => file.path) elsif tarred && bzipped - system("tar -jxOf #{trace_name} > #{file.path}") + system("tar", "-jxOf", trace_name, :out => file.path) elsif tarred - system("tar -xOf #{trace_name} > #{file.path}") + system("tar", "-xOf", trace_name, :out => file.path) elsif gzipped - system("gunzip -c #{trace_name} > #{file.path}") + system("gunzip", "-c", trace_name, :out => file.path) elsif bzipped - system("bunzip2 -c #{trace_name} > #{file.path}") + system("bunzip2", "-c", trace_name, :out => file.path) elsif zipped - system("unzip -p #{trace_name} -x '__MACOSX/*' > #{file.path} 2> /dev/null") + system("unzip", "-p", trace_name, "-x", "__MACOSX/*", :out => file.path, :err => "/dev/null") end file.unlink diff --git a/config/brakeman.yml b/config/brakeman.yml index 3551b75e4..48faf7b6d 100644 --- a/config/brakeman.yml +++ b/config/brakeman.yml @@ -1,6 +1,5 @@ :skip_checks: # These checks are skipped, but should be considered TODO -- CheckExecute - CheckFileAccess - CheckRedirect - CheckRender