From f2c9a7c0a5c0482d2e1b3503c4239d6165064203 Mon Sep 17 00:00:00 2001
From: Alex Kriuchykhin <oleksii@scinote.net>
Date: Mon, 11 Nov 2024 15:39:36 +0100
Subject: [PATCH] Fix dangerous use of uri open, remove unused obsolete file
 encryptor module [SCI-11259] (#8030)

---
 Gemfile                                       |  2 +-
 .../users/omniauth_callbacks_controller.rb    |  5 +----
 app/models/asset.rb                           |  1 -
 app/utilities/encryptor.rb                    | 19 -------------------
 .../protocol_importers/attachments_builder.rb |  2 +-
 5 files changed, 3 insertions(+), 26 deletions(-)
 delete mode 100644 app/utilities/encryptor.rb

diff --git a/Gemfile b/Gemfile
index e28a8437a..3bddf41df 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-source 'http://rubygems.org'
+source 'https://rubygems.org'
 
 ruby '~> 3.2.2'
 
diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 74d7fc180..ad62346c3 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -114,10 +114,7 @@ module Users
           email: auth_hash['info']['email'],
           password: generate_user_password
         )
-        if auth_hash['info']['picture_url']
-          avatar = URI.open(auth_hash['info']['picture_url'])
-          @user.avatar.attach(io: avatar, filename: 'linkedin_avatar.jpg')
-        end
+        @user.avatar.attach(io: URI(auth_hash['info']['picture_url']).open, filename: 'linkedin_avatar.jpg') if auth_hash['info']['picture_url']
         user_identity = UserIdentity.new(user: @user,
                                          provider: auth_hash['provider'],
                                          uid: auth_hash['uid'])
diff --git a/app/models/asset.rb b/app/models/asset.rb
index 74b839d11..6f0f2632f 100644
--- a/app/models/asset.rb
+++ b/app/models/asset.rb
@@ -3,7 +3,6 @@
 class Asset < ApplicationRecord
   include SearchableModel
   include DatabaseHelper
-  include Encryptor
   include WopiUtil
   include ActiveStorageFileUtil
   include ActiveStorageConcerns
diff --git a/app/utilities/encryptor.rb b/app/utilities/encryptor.rb
deleted file mode 100644
index b18637391..000000000
--- a/app/utilities/encryptor.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-module Encryptor
-  def decrypt(data)
-    return '' unless data.present?
-    cipher = build_cipher(:decrypt, 'f5awRubeTUd2E*8duxum')
-    cipher.update(Base64.urlsafe_decode64(data).unpack('m')[0]) + cipher.final
-  end
-
-  def encrypt(data)
-    return '' unless data.present?
-    cipher = build_cipher(:encrypt, 'f5awRubeTUd2E*8duxum')
-    Base64.urlsafe_encode64([cipher.update(data) + cipher.final].pack('m'))
-  end
-
-  def build_cipher(type, password)
-    cipher = OpenSSL::Cipher::Cipher.new('DES-EDE3-CBC').send(type)
-    cipher.pkcs5_keyivgen(password)
-    cipher
-  end
-end
\ No newline at end of file
diff --git a/app/utilities/protocol_importers/attachments_builder.rb b/app/utilities/protocol_importers/attachments_builder.rb
index dd2bd4799..f0c50b5ea 100644
--- a/app/utilities/protocol_importers/attachments_builder.rb
+++ b/app/utilities/protocol_importers/attachments_builder.rb
@@ -7,7 +7,7 @@ module ProtocolImporters
 
       step_json[:attachments].map do |f|
         asset = Asset.new(created_by: user, last_modified_by: user, team: team)
-        asset.attach_file_version(io: URI.open(f[:url]), filename: f[:name])
+        asset.attach_file_version(io: URI(f[:url]).open, filename: f[:name])
         asset
       end
     end