class RuboCop::Cop::Security::Open
Checks for the use of ‘Kernel#open` and `URI.open` with dynamic data.
‘Kernel#open` and `URI.open` enable not only file access but also process invocation by prefixing a pipe symbol (e.g., `open(“| ls”)`). So, it may lead to a serious security risk by using variable input to the argument of `Kernel#open` and `URI.open`. It would be better to use `File.open`, `IO.popen` or `URI.parse#open` explicitly.
NOTE: ‘open` and `URI.open` with literal strings are not flagged by this cop.
@safety
This cop could register false positives if `open` is redefined in a class and then used without a receiver in that class.
@example
# bad open(something) open("| #{something}") open("| foo") URI.open(something) # good File.open(something) IO.popen(something) URI.parse(something).open # good (literal strings) open("foo.text") URI.open("http://example.com") URI.parse(url).open
Constants
- MSG
- RESTRICT_ON_SEND
Public Instance Methods
Source
# File lib/rubocop/cop/security/open.rb, line 47 def on_send(node) open?(node) do |receiver, code| return if safe?(code) message = format(MSG, receiver: receiver ? "#{receiver.source}." : 'Kernel#') add_offense(node.loc.selector, message: message) end end
Private Instance Methods
Source
# File lib/rubocop/cop/security/open.rb, line 76 def composite_string?(node) interpolated_string?(node) || concatenated_string?(node) end
Source
# File lib/rubocop/cop/security/open.rb, line 84 def concatenated_string?(node) node.send_type? && node.method?(:+) && node.receiver.str_type? end
Source
# File lib/rubocop/cop/security/open.rb, line 80 def interpolated_string?(node) node.dstr_type? end
Source
# File lib/rubocop/cop/security/open.rb, line 58 def safe?(node) if simple_string?(node) safe_argument?(node.str_content) elsif composite_string?(node) safe?(node.children.first) else false end end
Source
# File lib/rubocop/cop/security/open.rb, line 68 def safe_argument?(argument) !argument.empty? && !argument.start_with?('|') end
Source
# File lib/rubocop/cop/security/open.rb, line 72 def simple_string?(node) node.str_type? end