From a839af271030b014862fb3969973e6b3a62a9bc7 Mon Sep 17 00:00:00 2001 From: Brandon High Date: Thu, 5 Mar 2020 15:53:02 -0800 Subject: [PATCH] Use URI.parse.open/File.open instead of open This commit updates the dashboard to use `URI.parse` instead of `Kernel#open` because open can potentially open files on the server and has other possible security issues. Also updated the logger to use `File.open` as it is more explicit and doesn't have the extra potential for abuse like `Kernel#open` https://rubocop.readthedocs.io/en/latest/cops_security/#securityopen --- lib/vmpooler/api/dashboard.rb | 4 ++-- lib/vmpooler/logger.rb | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/vmpooler/api/dashboard.rb b/lib/vmpooler/api/dashboard.rb index 84bae1d..4c56798 100644 --- a/lib/vmpooler/api/dashboard.rb +++ b/lib/vmpooler/api/dashboard.rb @@ -83,7 +83,7 @@ module Vmpooler history ||= {} begin - buffer = open(graph_link('.ready.*&from=-1hour&format=json')).read + buffer = URI.parse(graph_link('.ready.*&from=-1hour&format=json')).read history = JSON.parse(buffer) history.each do |pool| @@ -136,7 +136,7 @@ module Vmpooler if params[:history] if graph_url begin - buffer = open(graph_link('.running.*&from=-1hour&format=json')).read + buffer = URI.parse(graph_link('.running.*&from=-1hour&format=json')).read JSON.parse(buffer).each do |pool| if pool['target'] =~ /.*\.(.*)$/ pool['name'] = Regexp.last_match[1] diff --git a/lib/vmpooler/logger.rb b/lib/vmpooler/logger.rb index f8a9644..218ec4c 100644 --- a/lib/vmpooler/logger.rb +++ b/lib/vmpooler/logger.rb @@ -16,7 +16,7 @@ module Vmpooler puts "[#{stamp}] #{string}" if ENV['VMPOOLER_DEBUG'] - open(@file, 'a') do |f| + File.open(@file, 'a') do |f| f.puts "[#{stamp}] #{string}" end end