Title: Vulnerability Report for Ruby Gem gyazo-1.0.0

Author: Larry W. Cashdollar, @_larry0<br><br>Date: 06/01/2014

Download: http://rubygems.org/gems/gyazo

Gem Author:  masui@pitecan.com

From: ./gyazo-1.0.0/lib/gyazo/client.rb

If this Gem is used in the context of a rails app a malicious user may inject commands via #{imagefile} and
#{tmpfile} using shell meta characters like ; and sending an escaped \".

0through the #{imagefile} name if the raw option is not set.  Also file names are time based and predictable leading
to file clobbering vulnerabilities as the running process username.
 57       unless opts[:raw]
 58         tmpfile = "/tmp/gyazo_upload_#{Time.now.to_i}_#{Time.now.usec}.png"
 59         if File.exist? imagefile
 60           system "sips -s format png \"#{imagefile}\" --out \"#{tmpfile}\" > /dev/null"
 61         end
 62       end