class RuboCop::Cop::Security::Open

URI.parse(something).open
IO.popen(something)
File.open(something)
# good
open(something)
# bad
@example
`URI#open` explicitly.
‘Kernel#open`. It would be better to use `File.open`, `IO.popen` or
a serious security risk by using variable input to the argument of
by prefixing a pipe symbol (e.g., `open(“| ls”)`). So, it may lead to
`Kernel#open` enables not only file access but also process invocation
This cop checks for the use of `Kernel#open`.

def on_send(node)

def on_send(node)
  open?(node) do |code|
    return if safe?(code)
    add_offense(node, location: :selector)
  end
end

def safe?(node)

def safe?(node)
  if node.str_type?
    !node.str_content.empty? && !node.str_content.start_with?('|')
  elsif node.dstr_type?
    safe?(node.child_nodes.first)
  elsif node.send_type? && node.method_name == :+
    safe?(node.child_nodes.first)
  else
    false
  end
end

Namespace

RuboCop::Cop::Security

Parent class

RuboCop::Cop::Security::Cop

Instance Methods

Defined in

lib/rubocop/cop/security/open.rb

Modules

Classes