[Ruby] force users to specify the temp folder path to address security concerns (#8730)

wing328 · web-flow · commit 18a6f5a941f3 · 2021-02-20T11:49:10.000+08:00
* address security issue when downloading files in the ruby client

* update samples

* fix double quote
diff --git a/modules/openapi-generator/src/main/resources/ruby-client/api_client.mustache b/modules/openapi-generator/src/main/resources/ruby-client/api_client.mustache
@@ -71,6 +71,13 @@ module {{moduleName}}
       {{/isFaraday}}
       {{#isFaraday}}
       if return_type == 'File'
+        # throw an exception if the temp folder path is not defined
+        # to avoid using the default temp directory which can be read by anyone
+        if @config.temp_folder_path.nil?
+          raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"]) " +
+                "to avoid dowloading the file to a location readable by everyone."
+        end
+
         content_disposition = response.headers['Content-Disposition']
         if content_disposition && content_disposition =~ /filename=/i
           filename = content_disposition[/filename=['"]?([^'"\s]+)['"]?/, 1]
diff --git a/modules/openapi-generator/src/main/resources/ruby-client/api_client_typhoeus_partial.mustache b/modules/openapi-generator/src/main/resources/ruby-client/api_client_typhoeus_partial.mustache
@@ -52,8 +52,8 @@
 
       {{#hasAuthMethods}}
       update_params_for_auth! header_params, query_params, opts[:auth_names]
-      {{/hasAuthMethods}}
 
+      {{/hasAuthMethods}}
       # set ssl_verifyhosts option based on @config.verify_ssl_host (true/false)
       _verify_ssl_host = @config.verify_ssl_host ? 2 : 0
 
@@ -122,6 +122,13 @@
     #
     # @see Configuration#temp_folder_path
     def download_file(request)
+      # throw an exception if the temp folder path is not defined
+      # to avoid using the default temp directory which can be read by anyone
+      if @config.temp_folder_path.nil?
+        raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"])" +
+              "to avoid dowloading the file to a location readable by everyone."
+      end
+
       tempfile = nil
       encoding = nil
       request.on_headers do |response|
@@ -137,10 +144,12 @@
         tempfile = Tempfile.open(prefix, @config.temp_folder_path, encoding: encoding)
         @tempfile = tempfile
       end
+
       request.on_body do |chunk|
         chunk.force_encoding(encoding)
         tempfile.write(chunk)
       end
+
       request.on_complete do |response|
         if tempfile
           tempfile.close
diff --git a/samples/client/petstore/ruby-faraday/lib/petstore/api_client.rb b/samples/client/petstore/ruby-faraday/lib/petstore/api_client.rb
@@ -203,6 +203,13 @@ def deserialize(response, return_type)
       # handle file downloading - return the File instance processed in request callbacks
       # note that response body is empty when the file is written in chunks in request on_body callback
       if return_type == 'File'
+        # throw an exception if the temp folder path is not defined
+        # to avoid using the default temp directory which can be read by anyone
+        if @config.temp_folder_path.nil?
+          raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"]) " +
+                "to avoid dowloading the file to a location readable by everyone."
+        end
+
         content_disposition = response.headers['Content-Disposition']
         if content_disposition && content_disposition =~ /filename=/i
           filename = content_disposition[/filename=['"]?([^'"\s]+)['"]?/, 1]
diff --git a/samples/client/petstore/ruby/lib/petstore/api_client.rb b/samples/client/petstore/ruby/lib/petstore/api_client.rb
@@ -164,6 +164,13 @@ def build_request_body(header_params, form_params, body)
     #
     # @see Configuration#temp_folder_path
     def download_file(request)
+      # throw an exception if the temp folder path is not defined
+      # to avoid using the default temp directory which can be read by anyone
+      if @config.temp_folder_path.nil?
+        raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"])" +
+              "to avoid dowloading the file to a location readable by everyone."
+      end
+
       tempfile = nil
       encoding = nil
       request.on_headers do |response|
@@ -179,10 +186,12 @@ def download_file(request)
         tempfile = Tempfile.open(prefix, @config.temp_folder_path, encoding: encoding)
         @tempfile = tempfile
       end
+
       request.on_body do |chunk|
         chunk.force_encoding(encoding)
         tempfile.write(chunk)
       end
+
       request.on_complete do |response|
         if tempfile
           tempfile.close
diff --git a/samples/openapi3/client/extensions/x-auth-id-alias/ruby-client/lib/x_auth_id_alias/api_client.rb b/samples/openapi3/client/extensions/x-auth-id-alias/ruby-client/lib/x_auth_id_alias/api_client.rb
@@ -164,6 +164,13 @@ def build_request_body(header_params, form_params, body)
     #
     # @see Configuration#temp_folder_path
     def download_file(request)
+      # throw an exception if the temp folder path is not defined
+      # to avoid using the default temp directory which can be read by anyone
+      if @config.temp_folder_path.nil?
+        raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"])" +
+              "to avoid dowloading the file to a location readable by everyone."
+      end
+
       tempfile = nil
       encoding = nil
       request.on_headers do |response|
@@ -179,10 +186,12 @@ def download_file(request)
         tempfile = Tempfile.open(prefix, @config.temp_folder_path, encoding: encoding)
         @tempfile = tempfile
       end
+
       request.on_body do |chunk|
         chunk.force_encoding(encoding)
         tempfile.write(chunk)
       end
+
       request.on_complete do |response|
         if tempfile
           tempfile.close
diff --git a/samples/openapi3/client/features/dynamic-servers/ruby/lib/dynamic_servers/api_client.rb b/samples/openapi3/client/features/dynamic-servers/ruby/lib/dynamic_servers/api_client.rb
@@ -94,7 +94,6 @@ def build_request(http_method, path, opts = {})
       query_params = opts[:query_params] || {}
       form_params = opts[:form_params] || {}
 
-
       # set ssl_verifyhosts option based on @config.verify_ssl_host (true/false)
       _verify_ssl_host = @config.verify_ssl_host ? 2 : 0
 
@@ -163,6 +162,13 @@ def build_request_body(header_params, form_params, body)
     #
     # @see Configuration#temp_folder_path
     def download_file(request)
+      # throw an exception if the temp folder path is not defined
+      # to avoid using the default temp directory which can be read by anyone
+      if @config.temp_folder_path.nil?
+        raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"])" +
+              "to avoid dowloading the file to a location readable by everyone."
+      end
+
       tempfile = nil
       encoding = nil
       request.on_headers do |response|
@@ -178,10 +184,12 @@ def download_file(request)
         tempfile = Tempfile.open(prefix, @config.temp_folder_path, encoding: encoding)
         @tempfile = tempfile
       end
+
       request.on_body do |chunk|
         chunk.force_encoding(encoding)
         tempfile.write(chunk)
       end
+
       request.on_complete do |response|
         if tempfile
           tempfile.close
diff --git a/samples/openapi3/client/features/generate-alias-as-model/ruby-client/lib/petstore/api_client.rb b/samples/openapi3/client/features/generate-alias-as-model/ruby-client/lib/petstore/api_client.rb
@@ -94,7 +94,6 @@ def build_request(http_method, path, opts = {})
       query_params = opts[:query_params] || {}
       form_params = opts[:form_params] || {}
 
-
       # set ssl_verifyhosts option based on @config.verify_ssl_host (true/false)
       _verify_ssl_host = @config.verify_ssl_host ? 2 : 0
 
@@ -163,6 +162,13 @@ def build_request_body(header_params, form_params, body)
     #
     # @see Configuration#temp_folder_path
     def download_file(request)
+      # throw an exception if the temp folder path is not defined
+      # to avoid using the default temp directory which can be read by anyone
+      if @config.temp_folder_path.nil?
+        raise "@config.temp_folder_path must be setup first (e.g. ENV[\"HOME\"], ENV[\"HOMEPATH\"])" +
+              "to avoid dowloading the file to a location readable by everyone."
+      end
+
       tempfile = nil
       encoding = nil
       request.on_headers do |response|
@@ -178,10 +184,12 @@ def download_file(request)
         tempfile = Tempfile.open(prefix, @config.temp_folder_path, encoding: encoding)
         @tempfile = tempfile
       end
+
       request.on_body do |chunk|
         chunk.force_encoding(encoding)
         tempfile.write(chunk)
       end
+
       request.on_complete do |response|
         if tempfile
           tempfile.close
