Add new Security/Open cop
#5319
Merged
Commits on Dec 28, 2017
-
`Kernel#open` is considered harmful for production use. Some programs use `Kernel#open` with untrusted input, but it allows command injection by prefixing a pipe (`|`). [An actual vulnerability](https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/) is found, and deprecating `open("|...")` is [proposed in bugs.ruby-lang.org](https://bugs.ruby-lang.org/issues/14239). I'm unsure if the deprecation is really good, but at least it would be a good idea for Rubocop to prevent such a bad usage of `Kernel#open`. ```console % cat /tmp/test.rb open(something) ``` ```console % bundle exec bin/rubocop /tmp/test.rb Inspecting 1 file C Offenses: /tmp/test.rb:3:1: C: Security/Open: The use of open is a serious security risk. open(something) ^^^^ 1 file inspected, 1 offense detected ```
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.