Add Security/Open rubocop rule #3855
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
javierm
force-pushed
the
rubocop_open
branch
from
4a91819
to
e0afdde
Compare
javierm
force-pushed
the
rubocop_open
branch
from
e0afdde
to
9e4abdb
Compare
javierm
force-pushed
the
rubocop_open
branch
from
9e4abdb
to
19ada49
Compare
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
javierm
force-pushed
the
rubocop_open
branch
from
816b5d5
to
f7b41c5
Compare
javierm
force-pushed
the
rubocop_open
branch
from
f7b41c5
to
e984da0
Compare
javierm
force-pushed
the
rubocop_open
branch
from
e984da0
to
647107d
Compare
javierm
force-pushed
the
rubocop_open
branch
from
647107d
to
8c6402a
Compare
javierm
force-pushed
the
rubocop_open
branch
2 times, most recently
from
b7e0740
to
61c9979
Compare
We'll use this method to write a test dealing with remote storages.
In commit 5a4921a we replaced `URI.parse` with `URI.open` due to some issues during our tests with S3. However, there are some security issues with `URI.open` [1], since it might allow some users to execute code on the server. So we're using `URI.parse#open` instead. [1] https://docs.rubocop.org/rubocop/cops_security.html#securityopen
The `open` method can be used to open files or URLs and it's deprecated in Ruby 2.7. In this case, it's clear we're dealing with a URL, so we can use `URI.parse`. The code was a bit strange, since it returned a value and had a side effect: opening the URL. I'm not sure about the intention of the code; my best guess is we wanted to test the URL exists and was accessible before returning it (and, if that's the case, IMHO the code should be a bit more explicit in order to show the intention behind it), but it could also be an unintended side effect which was there by accident. Now the URL is no longer opened; if the URL isn't accessible, we'll find out when trying to connect to it with the Savon client.
javierm
force-pushed
the
rubocop_open
branch
from
61c9979
to
dc87f9d
Compare
taitus
approved these changes
Nov 16, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
References
Objectives
Kernel#openin the future, since it might be dangerous if done with user inputNotes
We had a false positive for a "dangerous" usage which wasn't actually dangerous because it used a value extracted from the
secrets.ymlfile; that is, the argument was under our control.