Use URI.parse.open/File.open instead of open

This commit updates the dashboard to use `URI.parse` instead of `Kernel#open` because open can potentially open files on the server and has other possible security issues. Also updated the logger to use `File.open` as it is more explicit and doesn't have the extra potential for abuse like `Kernel#open` https://rubocop.readthedocs.io/en/latest/cops_security/#securityopen
2026-01-26 01:58:41 -05:00 · 2020-03-05 15:53:02 -08:00 · 2020-03-05 15:53:02 -08:00 · a839af2710
commit a839af2710
parent f90ef4839e
2 changed files with 3 additions and 3 deletions
--- a/lib/vmpooler/api/dashboard.rb
+++ b/lib/vmpooler/api/dashboard.rb
@ -83,7 +83,7 @@ module Vmpooler
            history ||= {}

            begin
-              buffer = open(graph_link('.ready.*&from=-1hour&format=json')).read
+              buffer = URI.parse(graph_link('.ready.*&from=-1hour&format=json')).read
              history = JSON.parse(buffer)

              history.each do |pool|
@ -136,7 +136,7 @@ module Vmpooler
        if params[:history]
          if graph_url
            begin
-              buffer = open(graph_link('.running.*&from=-1hour&format=json')).read
+              buffer = URI.parse(graph_link('.running.*&from=-1hour&format=json')).read
              JSON.parse(buffer).each do |pool|
                if pool['target'] =~ /.*\.(.*)$/
                  pool['name'] = Regexp.last_match[1]
--- a/lib/vmpooler/logger.rb
+++ b/lib/vmpooler/logger.rb
@ -16,7 +16,7 @@ module Vmpooler

      puts "[#{stamp}] #{string}" if ENV['VMPOOLER_DEBUG']

-      open(@file, 'a') do |f|
+      File.open(@file, 'a') do |f|
        f.puts "[#{stamp}] #{string}"
      end
    end