Mature organizations usually run security management software (such as a security siem) which alerts to issues with their code. One of the common features of these types of packages is letting you know about insecure operations the code running performs. Generally speaking, having production Ruby code invoke shell commands is considered to be an anti-pattern in security.
There are multiple places in the raven-ruby gem which invoke system commands:
- To get the current Git release version as performed in configuration.rb. Thankfully in the case where an organization does not want to perform this shell exec, you provide an override via the environment as performed here.
- In context.rb, it is used to pull in the ruby version via
ruby -v. As the exact same information is available via RUBY_DESCRIPTION in all supported versions of Ruby (at least since Ruby 1.9.3 anyway, maybe earlier, which is long since end of life), can you please replace the invocation of the sys_command with a check to see if that exists, then fall back on the sys_command in the case it doesn't exist (if you prefer, honestly I don't see the reason to not just depend on RUBY_DESCRIPTION)?
- Also in context.rb, it is used to pull in information about the current operating os via repeated calls to
uname with different flags being passed in. Can you please provide a way to pass this in via the environment as done in example 1 (with regards to the current release version), falling back on the shell exec for backwards compatibility and/or for those who want to enable auto-detection.
I'd be happy to provide a pull request if you prefer, but these changes should hopefully be fairly straight forward and I am surprised this hasn't come up before with other customers.
Mature organizations usually run security management software (such as a security siem) which alerts to issues with their code. One of the common features of these types of packages is letting you know about insecure operations the code running performs. Generally speaking, having production Ruby code invoke shell commands is considered to be an anti-pattern in security.
There are multiple places in the
raven-rubygem which invoke system commands:ruby -v. As the exact same information is available viaRUBY_DESCRIPTIONin all supported versions of Ruby (at least since Ruby 1.9.3 anyway, maybe earlier, which is long since end of life), can you please replace the invocation of thesys_commandwith a check to see if that exists, then fall back on the sys_command in the case it doesn't exist (if you prefer, honestly I don't see the reason to not just depend onRUBY_DESCRIPTION)?unamewith different flags being passed in. Can you please provide a way to pass this in via the environment as done in example 1 (with regards to the current release version), falling back on the shell exec for backwards compatibility and/or for those who want to enable auto-detection.I'd be happy to provide a pull request if you prefer, but these changes should hopefully be fairly straight forward and I am surprised this hasn't come up before with other customers.