You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mature organizations usually run security management software (such as a security siem) which alerts to issues with their code. One of the common features of these types of packages is letting you know about insecure operations the code running performs. Generally speaking, having production Ruby code invoke shell commands is considered to be an anti-pattern in security.
There are multiple places in the raven-ruby gem which invoke system commands:
To get the current Git release version as performed in configuration.rb. Thankfully in the case where an organization does not want to perform this shell exec, you provide an override via the environment as performed here.
In context.rb, it is used to pull in the ruby version via ruby -v. As the exact same information is available via RUBY_DESCRIPTION in all supported versions of Ruby (at least since Ruby 1.9.3 anyway, maybe earlier, which is long since end of life), can you please replace the invocation of the sys_command with a check to see if that exists, then fall back on the sys_command in the case it doesn't exist (if you prefer, honestly I don't see the reason to not just depend on RUBY_DESCRIPTION)?
Also in context.rb, it is used to pull in information about the current operating os via repeated calls to uname with different flags being passed in. Can you please provide a way to pass this in via the environment as done in example 1 (with regards to the current release version), falling back on the shell exec for backwards compatibility and/or for those who want to enable auto-detection.
I'd be happy to provide a pull request if you prefer, but these changes should hopefully be fairly straight forward and I am surprised this hasn't come up before with other customers.
The text was updated successfully, but these errors were encountered:
jsjohnst
pushed a commit
to jsjohnst/raven-ruby
that referenced
this issue
Jan 13, 2020
In issue getsentry#943 sub-point getsentry#2, it was identified that using RUBY_DESCRIPTION
returns the same thing as `ruby -v` does for all currently supported Ruby
versions. This change fixes that sub-point and provides a fallback to the
old method in the event as a safety precaution.
Mature organizations usually run security management software (such as a security siem) which alerts to issues with their code. One of the common features of these types of packages is letting you know about insecure operations the code running performs. Generally speaking, having production Ruby code invoke shell commands is considered to be an anti-pattern in security.
There are multiple places in the
raven-ruby
gem which invoke system commands:ruby -v
. As the exact same information is available viaRUBY_DESCRIPTION
in all supported versions of Ruby (at least since Ruby 1.9.3 anyway, maybe earlier, which is long since end of life), can you please replace the invocation of thesys_command
with a check to see if that exists, then fall back on the sys_command in the case it doesn't exist (if you prefer, honestly I don't see the reason to not just depend onRUBY_DESCRIPTION
)?uname
with different flags being passed in. Can you please provide a way to pass this in via the environment as done in example 1 (with regards to the current release version), falling back on the shell exec for backwards compatibility and/or for those who want to enable auto-detection.I'd be happy to provide a pull request if you prefer, but these changes should hopefully be fairly straight forward and I am surprised this hasn't come up before with other customers.
The text was updated successfully, but these errors were encountered: