You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Replace insecure URI.open with URI.parse#open (#982)
`URI.open` is not safe because it can execute commands like those shown below:
```console
$ ruby -ropen-uri -e 'p URI.open(%q{| echo "hi"}).read'
"hi\n"
```
Replacing it with `URI.parse#open`, as already used in `Langchain::Loader`, makes it more secure:
https://github.com/patterns-ai-core/langchainrb/blob/0.19.5/lib/langchain/loader.rb#L95
```console
$ ruby -ropen-uri -e 'p URI.parse(%q{| echo "hi"}).open.read'
/Users/koic/.rbenv/versions/3.4.3/lib/ruby/gems/3.4.0/gems/uri-1.0.3/lib/uri/rfc3986_parser.rb:130:
in 'URI::RFC3986_Parser#split': bad URI (is not URI?): "| echo \"hi\"" (URI::InvalidURIError)
from /Users/koic/.rbenv/versions/3.4.3/lib/ruby/gems/3.4.0/gems/uri-1.0.3/lib/uri/rfc3986_parser.rb:135:
in 'URI::RFC3986_Parser#parse'
from /Users/koic/.rbenv/versions/3.4.3/lib/ruby/gems/3.4.0/gems/uri-1.0.3/lib/uri/common.rb:212:in 'URI.parse'
from -e:1:in '<main>'
```
It likely makes sense also in terms of reusing the parsed `uri` object.
Co-authored-by: Andrei Bondarev <[email protected]>
0 commit comments