Title: Vulnerability Report for Ruby Gem gyazo-1.0.0
Author: Larry W. Cashdollar, @_larry0
Date: 06/01/2014
Download: http://rubygems.org/gems/gyazo
Gem Author: masui@pitecan.com
From: ./gyazo-1.0.0/lib/gyazo/client.rb
If this Gem is used in the context of a rails app a malicious user may inject commands via #{imagefile} and
#{tmpfile} using shell meta characters like ; and sending an escaped \".
0through the #{imagefile} name if the raw option is not set. Also file names are time based and predictable leading
to file clobbering vulnerabilities as the running process username.
57 unless opts[:raw]
58 tmpfile = "/tmp/gyazo_upload_#{Time.now.to_i}_#{Time.now.usec}.png"
59 if File.exist? imagefile
60 system "sips -s format png \"#{imagefile}\" --out \"#{tmpfile}\" > /dev/null"
61 end
62 end