Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please provide methods to not depend on shell exec in raven-ruby gem #943

Closed
jsjohnst opened this issue Jan 10, 2020 · 1 comment · Fixed by #1017
Closed

Please provide methods to not depend on shell exec in raven-ruby gem #943

jsjohnst opened this issue Jan 10, 2020 · 1 comment · Fixed by #1017
Labels
enhancement
Projects
3.x
Milestone
3.1.0

Comments

@jsjohnst
Copy link

jsjohnst commented Jan 10, 2020
edited
Loading

Mature organizations usually run security management software (such as a security siem) which alerts to issues with their code. One of the common features of these types of packages is letting you know about insecure operations the code running performs. Generally speaking, having production Ruby code invoke shell commands is considered to be an anti-pattern in security.

There are multiple places in the raven-ruby gem which invoke system commands:

  1. To get the current Git release version as performed in configuration.rb. Thankfully in the case where an organization does not want to perform this shell exec, you provide an override via the environment as performed here.
  2. In context.rb, it is used to pull in the ruby version via ruby -v. As the exact same information is available via RUBY_DESCRIPTION in all supported versions of Ruby (at least since Ruby 1.9.3 anyway, maybe earlier, which is long since end of life), can you please replace the invocation of the sys_command with a check to see if that exists, then fall back on the sys_command in the case it doesn't exist (if you prefer, honestly I don't see the reason to not just depend on RUBY_DESCRIPTION)?
  3. Also in context.rb, it is used to pull in information about the current operating os via repeated calls to uname with different flags being passed in. Can you please provide a way to pass this in via the environment as done in example 1 (with regards to the current release version), falling back on the shell exec for backwards compatibility and/or for those who want to enable auto-detection.

I'd be happy to provide a pull request if you prefer, but these changes should hopefully be fairly straight forward and I am surprised this hasn't come up before with other customers.
jsjohnst pushed a commit to jsjohnst/raven-ruby that referenced this issue Jan 13, 2020
Remove unneeded shell exec to get Ruby version info
ce5fb12 
In issue getsentry#943 sub-point getsentry#2, it was identified that using RUBY_DESCRIPTION
returns the same thing as `ruby -v` does for all currently supported Ruby
versions. This change fixes that sub-point and provides a fallback to the
old method in the event as a safety precaution.
@jsjohnst jsjohnst mentioned this issue Jan 13, 2020
Closed
@st0012 st0012 added this to Needs triage in 3.x Aug 6, 2020
@st0012 st0012 added this to the 3.1.0 milestone Aug 14, 2020
@st0012 st0012 moved this from Needs triage to High priority in 3.x Aug 14, 2020
@st0012 st0012 moved this from High priority to Medium priority in 3.x Aug 14, 2020
@st0012 st0012 mentioned this issue Sep 10, 2020
Merged
@st0012
Copy link
Collaborator

st0012 commented Sep 10, 2020

I have added #1017 to address point 2 and 3

3.x automation moved this from Medium priority to Closed Sep 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
3.x
  
Closed
Milestone
3.1.0
Development

Successfully merging a pull request may close this issue.

Replace sys_command usages in context.rb getsentry/sentry-ruby
2 participants
@jsjohnst @st0012