Permalink
Browse files

Fix shell injection attack.

  • Loading branch information...
1 parent 2b3bdee commit c7e58895e37c6dbe86ce35ee0b5d3c4f0b65f08c @ConradIrwin ConradIrwin committed Jul 22, 2011
@@ -85,16 +85,18 @@ def data(options = {})
ignore = options.fetch('ignore') { nil }
focus = options.fetch('focus') { nil }
if ::File.exists?(PROFILING_DATA_FILE)
- args = "--#{printer}"
- args += " --ignore=#{ignore}" if ignore
- args += " --focus=#{focus}" if focus
- cmd = "pprof.rb #{args} #{PROFILING_DATA_FILE}"
- cmd = "bundle exec " + cmd if @bundler
- stdout, stderr, status = Dir.chdir(@gemfile_dir) { run(cmd) }
+ args = ["--#{printer}"]
+ args << " --ignore=#{ignore}" if ignore
+ args << " --focus=#{focus}" if focus
+ args << PROFILING_DATA_FILE
+ cmd = ["pprof.rb"] + args
+ cmd = ["bundle", "exec"] + cmd if @bundler
+
+ stdout, stderr, status = Dir.chdir(@gemfile_dir) { run(*cmd) }
if status!=0
- raise ProfilingError.new("Running the command '#{cmd}' exited with status #{status}", stderr)
+ raise ProfilingError.new("Running the command '#{cmd.join(" ")}' exited with status #{status}", stderr)
elsif stdout.length == 0 && stderr.length > 0
- raise ProfilingError.new("Running the command '#{cmd}' failed to generate a file", stderr)
+ raise ProfilingError.new("Running the command '#{cmd.join(" ")}' failed to generate a file", stderr)
else
[printer, stdout]
end
@@ -105,10 +107,10 @@ def data(options = {})
private
- def run(command)
+ def run(*command)
out = err = ""
pid = nil
- status = Open4.popen4(command) do |pid, stdin, stdout, stderr|
+ status = Open4.popen4(*command) do |pid, stdin, stdout, stderr|
stdin.close
pid = pid
out = stdout.read
@@ -158,7 +158,7 @@ def profile_requests(profiled_app, requests, options = {})
should "call pprof.rb using 'bundle' command if bundler is set" do
status = stub_everything(:exitstatus => 0)
profiled_app = Rack::PerftoolsProfiler.new(@app, :bundler => true)
- Open4.expects(:popen4).with(regexp_matches(/^bundle exec pprof\.rb/)).returns(status)
+ Open4.expects(:popen4).with('bundle', 'exec', 'pprof.rb', '--text', '/tmp/rack_perftools_profiler.prof').returns(status)
profile(profiled_app)
end
@@ -105,7 +105,7 @@ def setup
should "call pprof.rb using 'bundle' command if bundler is set" do
status = stub_everything(:exitstatus => 0)
profiled_app = Rack::PerftoolsProfiler.new(@app, :bundler => true)
- Open4.expects(:popen4).with(regexp_matches(/^bundle exec pprof\.rb/)).returns(status)
+ Open4.expects(:popen4).with('bundle', 'exec', 'pprof.rb', '--text', '/tmp/rack_perftools_profiler.prof').returns(status)
profiled_app.call(@profiled_request_env)
end

0 comments on commit c7e5889

Please sign in to comment.