class RuboCop::Cop::Security::Open
This cop checks for the use of `Kernel#open`.
`Kernel#open` enables not only file access but also process invocation by prefixing a pipe symbol (e.g., `open(“| ls”)`). So, it may lead to a serious security risk by using variable input to the argument of `Kernel#open`. It would be better to use `File.open`, `IO.popen` or `URI#open` explicitly.
@example
# bad open(something) # good File.open(something) IO.popen(something) URI.parse(something).open
Constants
- MSG
Public Instance Methods
on_send(node)
click to toggle source
# File lib/rubocop/cop/security/open.rb, line 29 def on_send(node) open?(node) do |code| return if safe?(code) add_offense(node, location: :selector) end end
Private Instance Methods
composite_string?(node)
click to toggle source
# File lib/rubocop/cop/security/open.rb, line 57 def composite_string?(node) interpolated_string?(node) || concatenated_string?(node) end
concatenated_string?(node)
click to toggle source
# File lib/rubocop/cop/security/open.rb, line 65 def concatenated_string?(node) node.send_type? && node.method?(:+) && node.receiver.str_type? end
interpolated_string?(node)
click to toggle source
# File lib/rubocop/cop/security/open.rb, line 61 def interpolated_string?(node) node.dstr_type? end
safe?(node)
click to toggle source
# File lib/rubocop/cop/security/open.rb, line 39 def safe?(node) if simple_string?(node) safe_argument?(node.str_content) elsif composite_string?(node) safe?(node.children.first) else false end end
safe_argument?(argument)
click to toggle source
# File lib/rubocop/cop/security/open.rb, line 49 def safe_argument?(argument) !argument.empty? && !argument.start_with?('|') end
simple_string?(node)
click to toggle source
# File lib/rubocop/cop/security/open.rb, line 53 def simple_string?(node) node.str_type? end