Use of `Kernel.open` or `IO.read` or similar sinks with a non-constant value

bobbrodie commented 4 months ago

Overview

Currently merged into master are new convenience methods for attachments added in #422 (merged into master). These are fantastic, and make it much easier to download and stream issue attachments.

I've been setting up CodeQL and one medium issue came up due to an issue with URI.open in attachment.rb:

URI.open(content, default_headers.merge(headers), &block)

Proposed Change

I've lightly tested the below change locally and am working on the webmock tests:

URI.parse(content).open(default_headers.merge(headers), &block)

Tracking issue for:

[ ] https://github.com/sumoheavy/jira-ruby/security/code-scanning/1

bobbrodie commented 4 months ago

@marlinpierce do you see any issues with this change?

marlinpierce commented 4 months ago

@bobbrodie I don't see a problem with that change if it works.

sumoheavy / jira-ruby

Use of `Kernel.open` or `IO.read` or similar sinks with a non-constant value #443

Overview

Proposed Change