Make #read_lines code more robust, avoid using IO.open directly

jirutka · Mar 29, 2022 · cbaccf3 · cbaccf3
1 parent c7ea001
commit cbaccf3
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/lib/asciidoctor/include_ext/include_processor.rb b/lib/asciidoctor/include_ext/include_processor.rb
@@ -113,10 +113,16 @@ def resolve_target_path(target, reader)
     #   the line number. If `nil` is given, all lines are passed.
     # @return [Array<String>] an array of read lines.
     def read_lines(path, selector)
-      if selector
-        IO.foreach(path).select.with_index(1, &selector)
-      else
-        URI.open(path, &:read)
+      # IO.open is deliberately not used directly to avoid potential security risks.
+      # TODO: Get rid of 'open-uri' (URI.open).
+      io = target_http?(path) ? URI : File
+
+      io.open(path) do |f|
+        if selector
+          f.each.select.with_index(1, &selector)
+        else
+          f.read
+        end
       end
     end