RubygemsResearch

Sha256: 893a68bebd506df14b60a215ca8958e0fff0346ded545b079707805bea9857d7

Contents?: true

Size: 1.68 KB

Versions: 216

Compression:

Stored size: 1.68 KB

# frozen_string_literal: true

module RuboCop
  module Cop
    module Security
      # Checks for the first argument to `IO.read`, `IO.binread`, `IO.write`, `IO.binwrite`,
      # `IO.foreach`, and `IO.readlines`.
      #
      # If argument starts with a pipe character (`'|'`) and the receiver is the `IO` class,
      # a subprocess is created in the same way as `Kernel#open`, and its output is returned.
      # `Kernel#open` may allow unintentional command injection, which is the reason these
      # `IO` methods are a security risk.
      # Consider to use `File.read` to disable the behavior of subprocess invocation.
      #
      # @safety
      #   This cop is unsafe because false positive will occur if the variable passed as
      #   the first argument is a command that is not a file path.
      #
      # @example
      #
      #   # bad
      #   IO.read(path)
      #   IO.read('path')
      #
      #   # good
      #   File.read(path)
      #   File.read('path')
      #   IO.read('| command') # Allow intentional command invocation.
      #
      class IoMethods < Base
        extend AutoCorrector

        MSG = '`File.%<method_name>s` is safer than `IO.%<method_name>s`.'
        RESTRICT_ON_SEND = %i[read binread write binwrite foreach readlines].freeze

        def on_send(node)
          return unless (receiver = node.receiver) && receiver.source == 'IO'

          argument = node.first_argument
          return if argument.respond_to?(:value) && argument.value.strip.start_with?('|')

          add_offense(node, message: format(MSG, method_name: node.method_name)) do |corrector|
            corrector.replace(receiver, 'File')
          end
        end
      end
    end
  end
end

Version data entries

216 entries across 207 versions & 21 rubygems

Version	Path
harbr-0.1.93	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.91	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.90	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.89	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.88	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.87	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.86	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.85	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.84	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.83	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.82	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.81	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.80	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.79	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.78	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.77	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.76	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.75	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.74	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb
harbr-0.1.73	vendor/bundle/ruby/3.2.0/gems/rubocop-1.57.2/lib/rubocop/cop/security/io_methods.rb