Permalink
Show file tree
Hide file tree
3 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Don't allow remote shell execution
Kernel#open accepts a string of format "| <shell command>" which executes the specified shell command and otherwise presumably acts as IO.popen. The open-uri standard library overrides Kernel#open to also accept URLs. However, the overridden Kernel#open just delegates to URI#open, so we switch to using that directly and avoid the remote shell execution vulnerability. For files we just use File.open, which should have the same behaviour as Kernel#open.
- Loading branch information
Showing
2 changed files
with
14 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4cd5081There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First of all, thanks for
mini_magick(I'm a user on an app that tracked a big cycle I did) and for your work on this security fix.I work on GitHub's security workflows team and am looking into how we can make it easier for maintainers to publicise security vulnerabilities like this one. I'd love your feedback if you have 5 mins?
Specifically:
We're trying to make the process easier so if you have any feedback at all please let me know. You can email me on greysteil@github.com if you'd like to discuss anything privately.
4cd5081There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main reason was that I don't have admin access to the
minimagickorganization, so I don't have the permission to edit security advisories.I've had a surprisingly hard time requesting a CVE for this vulnerability. Trying directly on https://cve.mitre.org/ obviously wasn't a good user experience, but I even couldn't figure it out on HackerOne (we've had to email them for instructions). It would be nice if GitHub had a straightforward guide for how to request a CVE.
4cd5081There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Really useful feedback - thanks. We can do that!
Oh interesting, thanks for that. I think requiring admin permission there makes sense, but will have a think on that one.