Merge pull request #1736 from coderdojo-japan/fix/brakeman-command-injection

Command Injection警告の解消（Slack通知処理の安全化）

Author: nacchan99

app/services/slack_notifier.rb

@@ -0,0 +1,34 @@
+require "net/http"
+require "uri"
+require "json"
+
+class SlackNotifier
+  class << self
+    # @param message [String] 通知するメッセージ
+    # @param webhook_url [String] SlackのWebhook URL
+    # @return [Boolean] 送信成功なら true / 失敗なら false
+    def post_message(message, webhook_url)
+      return false if webhook_url.blank?
+
+      uri = URI.parse(webhook_url)
+
+      request = Net::HTTP::Post.new(uri)
+      request["Content-Type"] = "application/json"
+      request.body = { text: message.to_s }.to_json
+
+      response = Net::HTTP.start(
+        uri.host,
+        uri.port,
+        use_ssl: uri.scheme == "https",
+        open_timeout: 5,
+        read_timeout: 5
+      ) { |http| http.request(request) }
+
+      Rails.logger.info("Slack通知レスポンスコード: #{response.code}")
+      response.code.to_i.between?(200, 299)
+    rescue StandardError => e
+      Rails.logger.warn("Slack通知エラー: #{e.class} #{e.message}")
+      false
+    end
+  end
+end

config/brakeman.ignore

@@ -1,28 +1,5 @@
 {
   "ignored_warnings": [
-    {
-      "warning_type": "Command Injection",
-      "warning_code": 14,
-      "fingerprint": "7307f11036b1ab86f410d8d967d3972618705df73cafdd17f8e311c10c76c1f1",
-      "check_name": "Execute",
-      "message": "Possible command injection",
-      "file": "lib/statistics/aggregation.rb",
-      "line": 163,
-      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
-      "code": "`curl -X POST -H 'Content-type: application/json' --data '{\"text\":\"#{msg}\"}' #{slack_hook_url} -o /dev/null -w \"slack: %{http_code}\"`",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Statistics::Statistics::Aggregation::Notifier",
-        "method": "s(:self).notify"
-      },
-      "user_input": "msg",
-      "confidence": "Medium",
-      "cwe_id": [
-        77
-      ],
-      "note": ""
-    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 4,
@@ -198,29 +175,6 @@
         79
       ],
       "note": ""
-    },
-    {
-      "warning_type": "Command Injection",
-      "warning_code": 14,
-      "fingerprint": "e5394a11f2e9bb6bc213b7ebd34fbcead20048858592aa19e5ae2961f33c636d",
-      "check_name": "Execute",
-      "message": "Possible command injection",
-      "file": "lib/upcoming_events/aggregation.rb",
-      "line": 89,
-      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
-      "code": "`curl -X POST -H 'Content-type: application/json' --data '{\"text\":\"#{msg}\"}' #{slack_hook_url} -o /dev/null -w \"slack: %{http_code}\"`",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "UpcomingEvents::UpcomingEvents::Aggregation::Notifier",
-        "method": "s(:self).notify"
-      },
-      "user_input": "msg",
-      "confidence": "Medium",
-      "cwe_id": [
-        77
-      ],
-      "note": ""
     }
   ],
   "brakeman_version": "7.1.0"

lib/statistics/aggregation.rb

@@ -160,7 +160,7 @@ def notifierable?
 
         def notify(msg)
           $stdout.puts msg
-          puts `curl -X POST -H 'Content-type: application/json' --data '{"text":"#{msg}"}' #{slack_hook_url} -o /dev/null -w "slack: %{http_code}"` if notifierable?
+          SlackNotifier.post_message(msg, slack_hook_url) if notifierable?
         end
       end
     end

lib/upcoming_events/aggregation.rb

@@ -86,7 +86,7 @@ def notifierable?
 
         def notify(msg)
           $stdout.puts msg
-          puts `curl -X POST -H 'Content-type: application/json' --data '{"text":"#{msg}"}' #{slack_hook_url} -o /dev/null -w "slack: %{http_code}"` if notifierable?
+          SlackNotifier.post_message(msg, slack_hook_url) if notifierable?
         end
       end
     end