security: Client class uses eval() to parse JSON

okleinschmidt / wdmc

The missing CLI Client for Western Digital MyCloud NAS Systems.

MIT License

14 stars 3 forks source link

security: Client class uses eval() to parse JSON #4

Closed tdilauro closed 6 years ago

tdilauro commented 6 years ago

Use of eval() on unsanitized responses is generally unsafe.

Some Client class methods use eval() to convert JSON to a hash with symbols as keys.

okleinschmidt commented 6 years ago

Sorry, I'm still learning. So means JSON.parse would be better?:

def system_information
  response = get("#{@config['url']}/api/2.1/rest/system_information", {accept: :json, :cookies => cookies})
  JSON.parse(response)['system_information']
end

tdilauro commented 6 years ago

No worries. I'm just tracking things that come up as I look through the code. I'm going to work on fixing some of these.

okleinschmidt commented 6 years ago

Thanks a lot. Send you an invite to collaborate.

tdilauro commented 6 years ago

Issue #5 is blocking this issue for me. Will need a work-around.

tdilauro commented 6 years ago

Resolved. Closing.