From 6c159b96734f81efc24f2c1410cd979b5c272819 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 27 Jul 2020 19:11:03 +0100
Subject: [PATCH] Fix the Command Injection warnings from Brakeman

---
 app/models/trace.rb | 12 ++++++------
 config/brakeman.yml |  1 -
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/app/models/trace.rb b/app/models/trace.rb
index 97800a868..93486f9ed 100644
--- a/app/models/trace.rb
+++ b/app/models/trace.rb
@@ -220,17 +220,17 @@ class Trace < ApplicationRecord
       file = Tempfile.new("trace.#{id}")
 
       if tarred && gzipped
-        system("tar -zxOf #{trace_name} > #{file.path}")
+        system("tar", "-zxOf", trace_name, :out => file.path)
       elsif tarred && bzipped
-        system("tar -jxOf #{trace_name} > #{file.path}")
+        system("tar", "-jxOf", trace_name, :out => file.path)
       elsif tarred
-        system("tar -xOf #{trace_name} > #{file.path}")
+        system("tar", "-xOf", trace_name, :out => file.path)
       elsif gzipped
-        system("gunzip -c #{trace_name} > #{file.path}")
+        system("gunzip", "-c", trace_name, :out => file.path)
       elsif bzipped
-        system("bunzip2 -c #{trace_name} > #{file.path}")
+        system("bunzip2", "-c", trace_name, :out => file.path)
       elsif zipped
-        system("unzip -p #{trace_name} -x '__MACOSX/*' > #{file.path} 2> /dev/null")
+        system("unzip", "-p", trace_name, "-x", "__MACOSX/*", :out => file.path, :err => "/dev/null")
       end
 
       file.unlink
diff --git a/config/brakeman.yml b/config/brakeman.yml
index 3551b75e4..48faf7b6d 100644
--- a/config/brakeman.yml
+++ b/config/brakeman.yml
@@ -1,6 +1,5 @@
 :skip_checks:
 # These checks are skipped, but should be considered TODO
-- CheckExecute
 - CheckFileAccess
 - CheckRedirect
 - CheckRender
-- 
2.43.2