Red Hat Bugzilla – Bug 987155
Manifest#initialize should not be calling File.exists? on string contents of downloaded manifests
Last modified: 2015-05-14 19:24:25 EDT
openshift-origin-common/models/manifest.rb#initialize is taking manifest as an argument, then calling File.exists? on that argument. If it returns false, it's assuming that the manifest is a downloaded manifest.
This is bad code for a number of reasons (large manifests could raise spurious errors against some filesystems). Instead, #initialize should take a YAML document as "manifest", and the path as a second argument. If callers need to parse YAML, they should call a static method on Manifest that handles that behavior:
new(YAML.load_file(manifest), path, ...)
Also, the loading code that loads the manifest (@manifest = YAML.load_file(manifest)) is not using safe, which means that it's likely someone could use this incorrectly and expose a security issue.
Medium because of the potential for problems.
Commit pushed to master at https://github.com/openshift/origin-server
Checked on devenv_3632, the change has been merged.
And create app form downloadable cartridge still works.
Move the bug to verified.