Fix the Command Injection warnings from Brakeman

[rails.git] / app / models / trace.rb

diff --git a/app/models/trace.rb b/app/models/trace.rb
index 97800a86822f804f1dba741092a27feeb580dfb3..93486f9edf989c6f0235c662886f4090ab42340e 100644 (file)
--- a/app/models/trace.rb
+++ b/app/models/trace.rb
@@ -220,17 +220,17 @@ class Trace < ApplicationRecord
       file = Tempfile.new("trace.#{id}")
 
       if tarred && gzipped
-        system("tar -zxOf #{trace_name} > #{file.path}")
+        system("tar", "-zxOf", trace_name, :out => file.path)
       elsif tarred && bzipped
-        system("tar -jxOf #{trace_name} > #{file.path}")
+        system("tar", "-jxOf", trace_name, :out => file.path)
       elsif tarred
-        system("tar -xOf #{trace_name} > #{file.path}")
+        system("tar", "-xOf", trace_name, :out => file.path)
       elsif gzipped
-        system("gunzip -c #{trace_name} > #{file.path}")
+        system("gunzip", "-c", trace_name, :out => file.path)
       elsif bzipped
-        system("bunzip2 -c #{trace_name} > #{file.path}")
+        system("bunzip2", "-c", trace_name, :out => file.path)
       elsif zipped
-        system("unzip -p #{trace_name} -x '__MACOSX/*' > #{file.path} 2> /dev/null")
+        system("unzip", "-p", trace_name, "-x", "__MACOSX/*", :out => file.path, :err => "/dev/null")
       end
 
       file.unlink