Fix Use of Kernel.open or IO.read or similar sinks with a non-constant value

[kreeksec]

rackup/test/spec_server.rb

Line 528 in c6cdd47

open(pidfile.path) { |f| f.read.must_equal $$.to_s }

If Kernel.open is given a file name that starts with a | character, it will execute the remaining string as a shell command. If a malicious user can control the file name, they can execute arbitrary code. The same vulnerability applies to IO.read, IO.write, IO.binread, IO.binwrite, IO.foreach, IO.readlines and URI.open. |  

fix the problem, replace the use of open(pidfile.path) with File.open(pidfile.path). This ensures that the file is opened directly, and there is no risk of shell command execution if the path starts with a pipe character. The change should be made on line 528 of test/spec_server.rb. No additional imports or method definitions are required, as File is a core Ruby class.

References

Command Injection. Ruby on Rails Cheat Sheet: Command Injection
Command Injection in RDoc

[leahneukirchen]

Irrelevant, as the path surely is a proper path. But probably better style to use File.read here.

[ioquatix]

Thanks - not a security issue but a good change none the less.