-
-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Please provide methods to not depend on shell exec in raven-ruby gem #943
Labels
Milestone
Comments
jsjohnst
pushed a commit
to jsjohnst/raven-ruby
that referenced
this issue
Jan 13, 2020
In issue getsentry#943 sub-point getsentry#2, it was identified that using RUBY_DESCRIPTION returns the same thing as `ruby -v` does for all currently supported Ruby versions. This change fixes that sub-point and provides a fallback to the old method in the event as a safety precaution.
I have added #1017 to address point 2 and 3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Mature organizations usually run security management software (such as a security siem) which alerts to issues with their code. One of the common features of these types of packages is letting you know about insecure operations the code running performs. Generally speaking, having production Ruby code invoke shell commands is considered to be an anti-pattern in security.
There are multiple places in the
raven-ruby
gem which invoke system commands:ruby -v
. As the exact same information is available viaRUBY_DESCRIPTION
in all supported versions of Ruby (at least since Ruby 1.9.3 anyway, maybe earlier, which is long since end of life), can you please replace the invocation of thesys_command
with a check to see if that exists, then fall back on the sys_command in the case it doesn't exist (if you prefer, honestly I don't see the reason to not just depend onRUBY_DESCRIPTION
)?uname
with different flags being passed in. Can you please provide a way to pass this in via the environment as done in example 1 (with regards to the current release version), falling back on the shell exec for backwards compatibility and/or for those who want to enable auto-detection.I'd be happy to provide a pull request if you prefer, but these changes should hopefully be fairly straight forward and I am surprised this hasn't come up before with other customers.
The text was updated successfully, but these errors were encountered: