[Ruby] force users to specify the temp folder path to address security concerns (#8730)

* address security issue when downloading files in the ruby client * update samples * fix double quote
2021-02-20 11:49:10 +08:00
parent 095019a6d8
commit 18a6f5a941
7 changed files with 60 additions and 3 deletions
--- a/samples/openapi3/client/features/dynamic-servers/ruby/lib/dynamic_servers/api_client.rb
+++ b/samples/openapi3/client/features/dynamic-servers/ruby/lib/dynamic_servers/api_client.rb
@@ -94,7 +94,6 @@ module DynamicServers
      query_params = opts[:query_params] || {}
      form_params = opts[:form_params] || {}

-
      # set ssl_verifyhosts option based on @config.verify_ssl_host (true/false)
      _verify_ssl_host = @config.verify_ssl_host ? 2 : 0

@@ -163,6 +162,13 @@ module DynamicServers
    #
    # @see Configuration#temp_folder_path
    def download_file(request)
+      # throw an exception if the temp folder path is not defined
+      # to avoid using the default temp directory which can be read by anyone
+      if @config.temp_folder_path.nil?
+        raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"])" +
+              "to avoid dowloading the file to a location readable by everyone."
+      end
+
      tempfile = nil
      encoding = nil
      request.on_headers do |response|
@@ -178,10 +184,12 @@ module DynamicServers
        tempfile = Tempfile.open(prefix, @config.temp_folder_path, encoding: encoding)
        @tempfile = tempfile
      end
+
      request.on_body do |chunk|
        chunk.force_encoding(encoding)
        tempfile.write(chunk)
      end
+
      request.on_complete do |response|
        if tempfile
          tempfile.close