Merge pull request #20130 from d-m-u/use_awesome_spawn_for_apache_stop

fix brakeman warning about possible command injection
ManageIQ · May 7, 2020 · 34bfb38 · 34bfb38
2 parents 927b99f + 14dab93
commit 34bfb38
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 21 deletions.
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -1,25 +1,5 @@
 {
   "ignored_warnings": [
-    {
-      "warning_type": "Command Injection",
-      "warning_code": 14,
-      "fingerprint": "14cf1baf5a62a0f109a2deb71920db195735f3054b031e50513d433f1566a670",
-      "check_name": "Execute",
-      "message": "Possible command injection",
-      "file": "lib/miq_apache/control.rb",
-      "line": 55,
-      "link": "http://brakemanscanner.org/docs/warning_types/command_injection/",
-      "code": "system(\"kill -WINCH #{`pgrep -P 1 httpd`.chomp.to_i}\")",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "MiqApache::Control",
-        "method": "s(:self).stop"
-      },
-      "user_input": "`pgrep -P 1 httpd`.chomp.to_i",
-      "confidence": "Medium",
-      "note": "The chomp.to_i ensures we get a number and we protect against 0 with a conditional.  The only other possible avenue for attack is if the attacker could replace pgrep, but then they already have root access, so it's a moot point."
-    },
     {
       "warning_type": "File Access",
       "warning_code": 16,

diff --git a/lib/miq_apache/control.rb b/lib/miq_apache/control.rb
@@ -52,7 +52,7 @@ def self.start
     def self.stop
       if ENV["CONTAINER"]
         pid = `pgrep -P 1 httpd`.chomp.to_i
-        system("kill -WINCH #{pid}") if pid > 0
+        Process.kill("WINCH", pid) if pid > 0
       else
         run_apache_cmd('stop')
       end