Audit: Calls to methods in IO class must be avoided - can lead to 'OS command injection' critical bug

File.Read is safer to use than IO.read

DESCRIPTION:

Calls to methods in the IO class must be avoided unless a command needs to be invoked intentionally.

If the argument starts with a pipe character ('|') and the receiver is the IO class, a subprocess is created in the same way as Kernel#open, and its output is returned. Kernel#open may allow unintentional command injection, which is the reason these IO methods are a security risk. Consider using File.read to protect yourself against the unintended subprocess invocation.

References: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') https://cwe.mitre.org/data/definitions/78.html

IO.read should be fixed in these 4 places:

https://github.com/gitlabhq/omnibus-gitlab/blob/3c9efbb1c02c08f0936dff2309d7e100fd35b040/config/projects/gitlab.rb#L30

https://github.com/gitlabhq/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/libraries/rails_migration_helper.rb#L28-L28

https://github.com/gitlabhq/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/libraries/rails_migration_helper.rb#L32-L32

https://github.com/gitlabhq/omnibus-gitlab/blob/master/files/gitlab-cookbooks/runit/metadata.rb#L7-L7