[Ruby] force users to specify the temp folder path to address security concerns (#8730)

* address security issue when downloading files in the ruby client * update samples * fix double quote
2025-12-11 16:02:44 +00:00 · 2021-02-20 11:49:10 +08:00
parent 095019a6d8
commit 18a6f5a941
7 changed files with 60 additions and 3 deletions
--- a/samples/openapi3/client/extensions/x-auth-id-alias/ruby-client/lib/x_auth_id_alias/api_client.rb
+++ b/samples/openapi3/client/extensions/x-auth-id-alias/ruby-client/lib/x_auth_id_alias/api_client.rb
@@ -164,6 +164,13 @@ module XAuthIDAlias
    #
    # @see Configuration#temp_folder_path
    def download_file(request)
+      # throw an exception if the temp folder path is not defined
+      # to avoid using the default temp directory which can be read by anyone
+      if @config.temp_folder_path.nil?
+        raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"])" +
+              "to avoid dowloading the file to a location readable by everyone."
+      end
+
      tempfile = nil
      encoding = nil
      request.on_headers do |response|
@@ -179,10 +186,12 @@ module XAuthIDAlias
        tempfile = Tempfile.open(prefix, @config.temp_folder_path, encoding: encoding)
        @tempfile = tempfile
      end
+
      request.on_body do |chunk|
        chunk.force_encoding(encoding)
        tempfile.write(chunk)
      end
+
      request.on_complete do |response|
        if tempfile
          tempfile.close