From 35db86714bb173b571813e49ed31afbd08c46cd0 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 22 Apr 2020 13:22:30 +0200 Subject: [PATCH] Use Open3.capture2 instead of backticks, to avoid command line injection risks In this situation, trace_name can be trivially checked as legitimate, but this removes any lingering risks from interpolating into a command line instead of passing parameters explicitly. Refs #2229 --- app/models/trace.rb | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/app/models/trace.rb b/app/models/trace.rb index d500784af..959d82e1c 100644 --- a/app/models/trace.rb +++ b/app/models/trace.rb @@ -117,7 +117,7 @@ class Trace < ApplicationRecord end def mime_type - filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp + filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp gzipped = filetype =~ /gzip compressed/ bzipped = filetype =~ /bzip2 compressed/ zipped = filetype =~ /Zip archive/ @@ -139,7 +139,7 @@ class Trace < ApplicationRecord end def extension_name - filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp + filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp gzipped = filetype =~ /gzip compressed/ bzipped = filetype =~ /bzip2 compressed/ zipped = filetype =~ /Zip archive/ @@ -208,8 +208,7 @@ class Trace < ApplicationRecord end def xml_file - # TODO: *nix specific, could do to work on windows... would be functionally inferior though - check for '.gz' - filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp + filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp gzipped = filetype =~ /gzip compressed/ bzipped = filetype =~ /bzip2 compressed/ zipped = filetype =~ /Zip archive/ -- 2.39.5