Contents

# frozen_string_literal: true

module RuboCop
  module Cop
    module Security
      # This cop checks for the use of `Kernel#open`.
      #
      # `Kernel#open` enables not only file access but also process invocation
      # by prefixing a pipe symbol (e.g., `open("| ls")`). So, it may lead to
      # a serious security risk by using variable input to the argument of
      # `Kernel#open`. It would be better to use `File.open`, `IO.popen` or
      # `URI#open` explicitly.
      #
      # @example
      #   # bad
      #   open(something)
      #
      #   # good
      #   File.open(something)
      #   IO.popen(something)
      #   URI.parse(something).open
      class Open < Cop
        MSG = 'The use of `Kernel#open` is a serious security risk.'

        def_node_matcher :open?, <<~PATTERN
          (send nil? :open $!str ...)
        PATTERN

        def on_send(node)
          open?(node) do |code|
            return if safe?(code)

            add_offense(node, location: :selector)
          end
        end

        private

        def safe?(node)
          if simple_string?(node)
            safe_argument?(node.str_content)
          elsif composite_string?(node)
            safe?(node.children.first)
          else
            false
          end
        end

        def safe_argument?(argument)
          !argument.empty? && !argument.start_with?('|')
        end

        def simple_string?(node)
          node.str_type?
        end

        def composite_string?(node)
          interpolated_string?(node) || concatenated_string?(node)
        end

        def interpolated_string?(node)
          node.dstr_type?
        end

        def concatenated_string?(node)
          node.send_type? && node.method?(:+) && node.receiver.str_type?
        end
      end
    end
  end
end

Version data entries

46 entries across 35 versions & 5 rubygems

Version	Path
grape-extra_validators-2.0.0	vendor/bundle/ruby/2.6.0/gems/rubocop-0.79.0/lib/rubocop/cop/security/open.rb
rubocop-0.88.0	lib/rubocop/cop/security/open.rb
rbhint-0.87.1.rc1	lib/rubocop/cop/security/open.rb
rubocop-0.87.1	lib/rubocop/cop/security/open.rb
rubocop-0.87.0	lib/rubocop/cop/security/open.rb
rubocop-0.86.0	lib/rubocop/cop/security/open.rb
files.com-1.0.1	vendor/bundle/ruby/2.5.0/gems/rubocop-0.85.1/lib/rubocop/cop/security/open.rb
rbhint-0.85.1.rc2	lib/rubocop/cop/security/open.rb
rbhint-0.85.1.rc1	lib/rubocop/cop/security/open.rb
rubocop-0.85.1	lib/rubocop/cop/security/open.rb
rbhint-0.8.5.rc1	lib/rubocop/cop/security/open.rb
rubocop-0.85.0	lib/rubocop/cop/security/open.rb
rubocop-0.84.0	lib/rubocop/cop/security/open.rb
rubocop-0.83.0	lib/rubocop/cop/security/open.rb
rubocop-0.82.0	lib/rubocop/cop/security/open.rb
rubocop-0.81.0	lib/rubocop/cop/security/open.rb
rubocop-0.80.1	lib/rubocop/cop/security/open.rb
rubocop-0.80.0	lib/rubocop/cop/security/open.rb
grape-extra_validators-1.0.0	vendor/bundle/ruby/2.4.0/gems/rubocop-0.79.0/lib/rubocop/cop/security/open.rb
grape-extra_validators-1.0.0	vendor/bundle/ruby/2.6.0/gems/rubocop-0.79.0/lib/rubocop/cop/security/open.rb