security: SlackNotifierでのCommand Injection脆弱性を解消

- app/services/slack_notifier.rb を新規追加
- curlコマンドをNet::HTTPに置換し、外部入力を安全に処理
- タイムアウト設定とエラーハンドリングを追加
- 2箇所のCommand Injection警告を解消

Author: nacchan99

app/services/slack_notifier.rb

@@ -0,0 +1,34 @@
+require "net/http"
+require "uri"
+require "json"
+
+class SlackNotifier
+  class << self
+    # @param message [String] 通知するメッセージ
+    # @param webhook_url [String] SlackのWebhook URL
+    # @return [Boolean] 送信成功なら true / 失敗なら false
+    def post_message(message, webhook_url)
+      return false if webhook_url.blank?
+
+      uri = URI.parse(webhook_url)
+
+      request = Net::HTTP::Post.new(uri)
+      request["Content-Type"] = "application/json"
+      request.body = { text: message.to_s }.to_json
+
+      response = Net::HTTP.start(
+        uri.host,
+        uri.port,
+        use_ssl: uri.scheme == "https",
+        open_timeout: 5,
+        read_timeout: 5
+      ) { |http| http.request(request) }
+
+      Rails.logger.info("Slack通知レスポンスコード: #{response.code}")
+      response.code.to_i.between?(200, 299)
+    rescue StandardError => e
+      Rails.logger.warn("Slack通知エラー: #{e.class} #{e.message}")
+      false
+    end
+  end
+end

lib/statistics/aggregation.rb

@@ -160,7 +160,7 @@ def notifierable?
 
         def notify(msg)
           $stdout.puts msg
-          puts `curl -X POST -H 'Content-type: application/json' --data '{"text":"#{msg}"}' #{slack_hook_url} -o /dev/null -w "slack: %{http_code}"` if notifierable?
+          SlackNotifier.post_message(msg, slack_hook_url) if notifierable?
         end
       end
     end

lib/upcoming_events/aggregation.rb

@@ -86,7 +86,7 @@ def notifierable?
 
         def notify(msg)
           $stdout.puts msg
-          puts `curl -X POST -H 'Content-type: application/json' --data '{"text":"#{msg}"}' #{slack_hook_url} -o /dev/null -w "slack: %{http_code}"` if notifierable?
+          SlackNotifier.post_message(msg, slack_hook_url) if notifierable?
         end
       end
     end