class RuboCop::Cop::Security::Open

This cop checks for the use of `Kernel#open`.

`Kernel#open` enables not only file access but also process invocation by prefixing a pipe symbol (e.g., `open(“| ls”)`). So, it may lead to a serious security risk by using variable input to the argument of `Kernel#open`. It would be better to use `File.open`, `IO.popen` or `URI#open` explicitly.

@example

# bad
open(something)

# good
File.open(something)
IO.popen(something)
URI.parse(something).open

Constants

MSG

Public Instance Methods

on_send(node) click to toggle source
# File lib/rubocop/cop/security/open.rb, line 29
def on_send(node)
  open?(node) do |code|
    return if safe?(code)

    add_offense(node, location: :selector)
  end
end

Private Instance Methods

composite_string?(node) click to toggle source
# File lib/rubocop/cop/security/open.rb, line 57
def composite_string?(node)
  interpolated_string?(node) || concatenated_string?(node)
end
concatenated_string?(node) click to toggle source
# File lib/rubocop/cop/security/open.rb, line 65
def concatenated_string?(node)
  node.send_type? && node.method?(:+) && node.receiver.str_type?
end
interpolated_string?(node) click to toggle source
# File lib/rubocop/cop/security/open.rb, line 61
def interpolated_string?(node)
  node.dstr_type?
end
safe?(node) click to toggle source
# File lib/rubocop/cop/security/open.rb, line 39
def safe?(node)
  if simple_string?(node)
    safe_argument?(node.str_content)
  elsif composite_string?(node)
    safe?(node.children.first)
  else
    false
  end
end
safe_argument?(argument) click to toggle source
# File lib/rubocop/cop/security/open.rb, line 49
def safe_argument?(argument)
  !argument.empty? && !argument.start_with?('|')
end
simple_string?(node) click to toggle source
# File lib/rubocop/cop/security/open.rb, line 53
def simple_string?(node)
  node.str_type?
end