cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use Open3.capture2 instead of backticks, to avoid command line injection risks

Browse source 
In this situation, trace_name can be trivially checked as legitimate, but this
removes any lingering risks from interpolating into a command line instead of
passing parameters explicitly.

Refs #2229
This commit is contained in:
Andy Allan 2020-04-22 13:22:30 +02:00
parent 5df434271e
commit 35db86714b
1 changed files with 3 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

7
app/models/trace.rb
View file

@ -117,7 +117,7 @@ class Trace < ApplicationRecord
end
def mime_type
filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
gzipped = filetype =~ /gzip compressed/
bzipped = filetype =~ /bzip2 compressed/
zipped = filetype =~ /Zip archive/
@ -139,7 +139,7 @@ class Trace < ApplicationRecord
end
def extension_name
filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
gzipped = filetype =~ /gzip compressed/
bzipped = filetype =~ /bzip2 compressed/
zipped = filetype =~ /Zip archive/
@ -208,8 +208,7 @@ class Trace < ApplicationRecord
end
def xml_file
# TODO: *nix specific, could do to work on windows... would be functionally inferior though - check for '.gz'
filetype = `/usr/bin/file -Lbz #{trace_name}`.chomp
filetype = Open3.capture2("/usr/bin/file", "-Lbz", trace_name).first.chomp
gzipped = filetype =~ /gzip compressed/
bzipped = filetype =~ /bzip2 compressed/
zipped = filetype =~ /Zip archive/