Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-09-08 12:06:51 +08:00
Code Packages Activity Actions 1

DEV: Raise exception when execute_command will spawn a shell (#12716)

Browse source
This commit is contained in:
David Taylor 2021-04-15 16:29:37 +01:00 committed by GitHub
parent eb99ecf1d2
commit 0ec5fd5262
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
lib/discourse.rb
View file

@ -95,10 +95,16 @@ module Discourse
private
def execute_command(*command, timeout: nil, failure_message: "", success_status_codes: [0], chdir: ".")
def execute_command(*command, timeout: nil, failure_message: "", success_status_codes: [0], chdir: ".", unsafe_shell: false)
env = nil
env = command.shift if command[0].is_a?(Hash)
if !unsafe_shell && (command.length == 1) && command[0].include?(" ")
# Sending a single string to Process.spawn will launch a shell
# This means various things (e.g. subshells) are possible, and could present injection risk
raise "Arguments should be provided as separate strings"
end
if timeout
# will send a TERM after timeout
# will send a KILL after timeout * 2