Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent OS command injection #548

Merged
merged 7 commits into from Feb 1, 2021

Conversation

@kyoshidajp
Copy link
Contributor

@kyoshidajp kyoshidajp commented Jul 20, 2019

FIxes #547

@flavorjones flavorjones mentioned this pull request Jan 23, 2021
4 of 10 tasks complete
@flavorjones flavorjones force-pushed the kyoshidajp:fix_command_injection branch from 2ada035 to 5856fc8 Jan 30, 2021
@flavorjones
Copy link
Member

@flavorjones flavorjones commented Jan 30, 2021

Rebased onto current master

kyoshidajp and others added 6 commits Jul 20, 2019
Related to GHSA-qrqm-fpv6-6r8g
Related to GHSA-qrqm-fpv6-6r8g
Related to GHSA-qrqm-fpv6-6r8g
Related to GHSA-qrqm-fpv6-6r8g
Also add general test coverage for FileResponse#read_body

Related to GHSA-qrqm-fpv6-6r8g
- change implicit Kernel.open to ::File.open
- replace `eval` with `define_method`
@flavorjones flavorjones force-pushed the kyoshidajp:fix_command_injection branch from 5856fc8 to 5b30aed Jan 30, 2021
@flavorjones
Copy link
Member

@flavorjones flavorjones commented Jan 30, 2021

I've pushed several more commits to remove additional instances of implicit Kernel.open calls

@flavorjones
Copy link
Member

@flavorjones flavorjones commented Jan 30, 2021

I've created a security advisory at GHSA-qrqm-fpv6-6r8g. As soon as we are assigned a CVE, I'll merge this branch and cut a release, which will be v2.7.7.

@flavorjones flavorjones merged commit 66a6a1b into sparklemotion:master Feb 1, 2021
7 checks passed
7 checks passed
@github-actions
test (2.3)
Details
@github-actions
test (2.4)
Details
@github-actions
test (2.5)
Details
@github-actions
test (2.6)
Details
@github-actions
test (2.7)
Details
@github-actions
test (3.0)
Details
@github-actions
test (jruby)
Details
@kyoshidajp kyoshidajp deleted the kyoshidajp:fix_command_injection branch Feb 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

2 participants