123456789_123456789_123456789_123456789_123456789_

Class: RuboCop::Cop::Security::Open

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, ::RuboCop::Cop::Base, ::RuboCop::ExcludeLimit, NodePattern::Macros, RuboCop::AST::Sexp
Instance Chain:
self, ::RuboCop::Cop::Base, ::RuboCop::Cop::AutocorrectLogic, ::RuboCop::Cop::IgnoredNode, ::RuboCop::Util, RuboCop::AST::Sexp
Inherits: RuboCop::Cop::Base
Defined in: lib/rubocop/cop/security/open.rb

Overview

Checks for the use of Kernel#open and URI.open with dynamic data.

Kernel#open and URI.open enable not only file access but also process invocation by prefixing a pipe symbol (e.g., open("| ls")). So, it may lead to a serious security risk by using variable input to the argument of Kernel#open and URI.open. It would be better to use File.open, IO.popen or URI.parse#open explicitly.

Note
 open and URI.open with literal strings are not flagged by this cop.

Examples:

# bad
open(something)
open("| #{something}")
open("| foo")
URI.open(something)

# good
File.open(something)
IO.popen(something)
URI.parse(something).open

# good (literal strings)
open("foo.text")
URI.open("http://example.com")

Cop Safety Information:

  • This cop could register false positives if open is redefined in a class and then used without a receiver in that class.

Constant Summary

::RuboCop::Cop::Base - Inherited

EMPTY_OFFENSES, RESTRICT_ON_SEND

Class Attribute Summary

::RuboCop::Cop::Base - Inherited

.gem_requirements, .lint?,
.support_autocorrect?

Returns if class supports autocorrect.
.support_multiple_source?

Override if your cop should be called repeatedly for multiple investigations Between calls to on_new_investigation and on_investigation_end, the result of processed_source will remain constant.

Class Method Summary

::RuboCop::Cop::Base - Inherited

.autocorrect_incompatible_with

List of cops that should not try to autocorrect at the same time as this cop.
.badge

Naming.
.callbacks_needed, .cop_name, .department,
.documentation_url

Returns a url to view this cops documentation online.
.exclude_from_registry

Call for abstract Cop classes.
.inherited,
.joining_forces

Override and return the Force class(es) you need to join.
.match?

Returns true if the cop name or the cop namespace matches any of the given names.
.new,
.requires_gem

Register a version requirement for the given gem name.
.restrict_on_send

::RuboCop::ExcludeLimit - Extended

exclude_limit

Sets up a configuration option to have an exclude limit tracked.
transform

Instance Attribute Summary

::RuboCop::Cop::Base - Inherited

#active_support_extensions_enabled?, #always_autocorrect?, #config, #config_to_allow_offenses, #config_to_allow_offenses=, #contextual_autocorrect?, #processed_source, #string_literals_frozen_by_default?, #target_satisfies_all_gem_version_requirements?

::RuboCop::Cop::AutocorrectLogic - Included

#autocorrect?, #autocorrect_enabled?, #autocorrect_requested?, #autocorrect_with_disable_uncorrectable?, #correctable?, #disable_uncorrectable?, #safe_autocorrect?

Instance Method Summary

::RuboCop::Cop::Base - Inherited

#add_global_offense

Adds an offense that has no particular location.
#add_offense

Adds an offense on the specified range (or node with an expression) Unless that offense is disabled for this range, a corrector will be yielded to provide the cop the opportunity to autocorrect the offense.
#begin_investigation

Called before any investigation.
#callbacks_needed,
#cop_config

Configuration Helpers.
#cop_name, #excluded_file?,
#external_dependency_checksum

This method should be overridden when a cop’s behavior depends on state that lives outside of these locations:
#inspect,
#message

Gets called if no message is specified when calling add_offense or add_global_offense Cops are discouraged to override this; instead pass your message directly.
#name

Alias for Base#cop_name.
#offenses,
#on_investigation_end

Called after all on_…​
#on_new_investigation

Called before all on_…​
#on_other_file

Called instead of all on_…​
#parse

There should be very limited reasons for a Cop to do it’s own parsing.
#parser_engine,
#ready

Called between investigations.
#relevant_file?, #target_rails_version, #target_ruby_version, #annotate, #apply_correction, #attempt_correction,
#callback_argument

Reserved for Cop::Cop.
#complete_investigation

Called to complete an investigation.
#correct, #current_corrector,
#current_offense_locations

Reserved for Commissioner:
#current_offenses, #currently_disabled_lines, #custom_severity, #default_severity, #disable_uncorrectable, #enabled_line?, #file_name_matches_any?, #find_message, #find_severity, #range_for_original, #range_from_node_or_range,
#reset_investigation

Actually private methods.
#use_corrector

::RuboCop::Cop::AutocorrectLogic - Included

#disable_offense, #disable_offense_at_end_of_line, #disable_offense_before_and_after, #disable_offense_with_eol_or_surround_comment, #max_line_length,
#range_by_lines

Expand the given range to include all of any lines it covers.
#range_of_first_line, #range_overlaps_offense?, #string_continuation, #string_continuation?, #surrounding_heredoc, #surrounding_percent_array

::RuboCop::Cop::IgnoredNode - Included

#ignore_node, #ignored_node?, #part_of_ignored_node?, #ignored_nodes

Constructor Details

This class inherits a constructor from RuboCop::Cop::Base

Instance Method Details

#composite_string?(node) ⇒ Boolean (private)

[ GitHub ] 

  


# File 'lib/rubocop/cop/security/open.rb', line 75



def composite_string?(node)
  interpolated_string?(node) || concatenated_string?(node)
end


  








  

    #concatenated_string?(node)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'lib/rubocop/cop/security/open.rb', line 83



def concatenated_string?(node)
  node.send_type? && node.method?(:+) && node.receiver.str_type?
end


  








  

    #interpolated_string?(node)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'lib/rubocop/cop/security/open.rb', line 79



def interpolated_string?(node)
  node.dstr_type?
end


  








  

    #on_send(node)  
  

  [ GitHub ]


  

  


# File 'lib/rubocop/cop/security/open.rb', line 46



def on_send(node)
  open?(node) do |receiver, code|
    return if safe?(code)

    message = format(MSG, receiver: receiver ? "#{receiver.source}." : 'Kernel#')
    add_offense(node.loc.selector, message: message)
  end
end


  








  

    #open?(node)  
  

  [ GitHub ]


  

  


# File 'lib/rubocop/cop/security/open.rb', line 42



def_node_matcher :open?, <<~PATTERN
  (send ${nil? (const {nil? cbase} :URI)} :open $_ ...)
PATTERN


  








  

    #safe?(node)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'lib/rubocop/cop/security/open.rb', line 57



def safe?(node)
  if simple_string?(node)
    safe_argument?(node.str_content)
  elsif composite_string?(node)
    safe?(node.children.first)
  else
    false
  end
end


  








  

    #safe_argument?(argument)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'lib/rubocop/cop/security/open.rb', line 67



def safe_argument?(argument)
  !argument.empty? && !argument.start_with?('|')
end


  








  

    #simple_string?(node)  ⇒ Boolean  (private)
  



  

    
  





  


  [ GitHub ]


  

  


# File 'lib/rubocop/cop/security/open.rb', line 71



def simple_string?(node)
  node.str_type?
end