Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use open3 for shell command execution #1

Closed
wants to merge 1 commit into from
Closed

Use open3 for shell command execution #1

wants to merge 1 commit into from

Conversation

tomekr
Copy link

@tomekr tomekr commented Jan 3, 2018

It looks like the the run method takes the filename input and interpolates it into a backtick shell command without validating the filename. This can result in a code execution vulnerability should users of this wrapper not validate the filename (which could come from an untrusted source).

See this article for more information (https://www.hilman.io/blog/2016/01/stop-using-backtick-to-run-shell-command-in-ruby/)

This PR uses the Open3 standard library to execute the command which will make sure that the parameters to the soxiare properly escaped. It also adds some error handling should the soxi binary return an error.

@clauswitt
Copy link
Member

Thanks for your pr. I have decided not to merge this, but to make a minor rewrite to the gem instead. (I have credited you in both the readme and the commit (3a52d77) message though).

As the readme says (now) we have abandoned this gem (we no longer use it). But I decided to make a release based on your suggestions (however adding some error raising instead of just printing a string)

@clauswitt clauswitt closed this Mar 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tomekr @clauswitt