search

sumoheavy / jira-ruby

A Ruby gem for the JIRA REST API
MIT License
654 stars 412 forks source link

Resolve URI.open report #444

Closed bobbrodie closed 4 months ago

bobbrodie commented 4 months ago

Overview

This should help resolve #443 that resulted from CodeQL reporting:

Use of Kernel.open or IO.read or similar sinks with a non-constant value

Approach

I've switched from:

URI.open(content, default_headers.merge(headers), &block)

To:

URI.parse(content).open(default_headers.merge(headers), &block)

This should resolve the following case:

If Kernel.open is given a file name that starts with a | character, it will execute the remaining string as a shell command. If a malicious user can control the file name, they can execute arbitrary code. The same vulnerability applies to IO.read, IO.write, IO.binread, IO.binwrite, IO.foreach, IO.readlines and URI.open.

bobbrodie commented 4 months ago

@marlinpierce if you have a moment in the near future, could you take a peek at this and let me know what you think? Thanks in advance if you're able to.

marlinpierce commented 4 months ago

Those changes look fine to me. The only concern I have is removing stubbing and making the method call. If that is not a problem with potentially making a network call then that is fine with me.