Document possible attack vector on get

This method is not supposed to receive user input, but if it does it will be vulnerable for a command injection attack. Closes #514
rails · Jul 5, 2018 · 77b0dd5 · 77b0dd5
1 parent 688c3f2
commit 77b0dd5
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/thor/actions/file_manipulation.rb b/lib/thor/actions/file_manipulation.rb
@@ -60,6 +60,9 @@ def link_file(source, *args)
     # destination. If a block is given instead of destination, the content of
     # the url is yielded and used as location.
     #
+    # +get+ relies on open-uri, so passing application user input would provide
+    # a command injection attack vector.
+    #
     # ==== Parameters
     # source<String>:: the address of the given content.
     # destination<String>:: the relative path to the destination root.