@_larry0

https://rubygems.org/gems/kelredd-pruview

If the file name contains shell meta characters. 

./kelredd-pruview-0.3.0/lib/pruview/document.rb


We see the user input isn't sanitized for shell metacharacters.  A malicious file with special characters in the filename could be used to execute commands as the local user.

69       run_system_command("convert -format jpg \"#{source}[0]\" \"#{@tempfile.path}\"", "Error processing postscript document")


85       colorspace = run_system_command("identify #{GLOBAL_CMD_ARGS} -format \"%r\" #{image.path}", "Error reading document colorspace")

141     def run_system_command(command, error_message)
142       output = `#{command}`
143       raise "#{error_message}: error given #{$?}\n#{output}" if $? != 0
144       return output
145     end
</pre>