From bb987928ad23c493936cd14fd64f0cfbd7395105 Mon Sep 17 00:00:00 2001
From: MC GSA <mathew.caughron@gsa.gov>
Date: Thu, 16 Jan 2020 11:43:51 -0600
Subject: [PATCH] replace Kernel.open which lets data spawn shells with
 URI.parse to protect against RCE (#509)

---
 features/step_definitions/web_ext_steps.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/features/step_definitions/web_ext_steps.rb b/features/step_definitions/web_ext_steps.rb
index 04076f5f3b..9a99b0e3ea 100644
--- a/features/step_definitions/web_ext_steps.rb
+++ b/features/step_definitions/web_ext_steps.rb
@@ -126,7 +126,7 @@
 Then /^I should see an s3 image "(.*?)"$/ do |image_file_name|
   image_url = page.find(:xpath, '//img')[:src]
   image_url.should =~ /s3\.amazonaws\.com.+#{Regexp.escape(image_file_name)}/
-  lambda { Kernel.open(image_url) }.should_not raise_error
+  lambda { URI.parse(image_url).open }.should_not raise_error
 end
 
 Then /^I should find "(.+)" in (.+)$/ do |text, locator|