123456789_123456789_123456789_123456789_123456789_

Class: RuboCop::Cop::Security::Open

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, ::RuboCop::Cop::Base, ::RuboCop::ExcludeLimit, NodePattern::Macros, RuboCop::AST::Sexp
Instance Chain:
Inherits: RuboCop::Cop::Base
Defined in: lib/rubocop/cop/security/open.rb

Overview

Checks for the use of Kernel#open and URI.open with dynamic data.

Kernel#open and URI.open enable not only file access but also process invocation by prefixing a pipe symbol (e.g., open("| ls")). So, it may lead to a serious security risk by using variable input to the argument of Kernel#open and URI.open. It would be better to use File.open, IO.popen or URI.parse#open explicitly.

Note
open and URI.open with literal strings are not flagged by this cop.

Examples:

# bad
open(something)
open("| #{something}")
open("| foo")
URI.open(something)

# good
File.open(something)
IO.popen(something)
URI.parse(something).open

# good (literal strings)
open("foo.text")
URI.open("http://example.com")

Cop Safety Information:

  • This cop could register false positives if open is redefined in a class and then used without a receiver in that class.

Constant Summary

::RuboCop::Cop::Base - Inherited

EMPTY_OFFENSES, RESTRICT_ON_SEND

Class Attribute Summary

::RuboCop::Cop::Base - Inherited

.gem_requirements, .lint?,
.support_autocorrect?

Returns if class supports autocorrect.

.support_multiple_source?

Override if your cop should be called repeatedly for multiple investigations Between calls to on_new_investigation and on_investigation_end, the result of processed_source will remain constant.

Class Method Summary

::RuboCop::Cop::Base - Inherited

.autocorrect_incompatible_with

List of cops that should not try to autocorrect at the same time as this cop.

.badge

Naming.

.callbacks_needed, .cop_name, .department,
.documentation_url

Returns an url to view this cops documentation online.

.exclude_from_registry

Call for abstract Cop classes.

.inherited,
.joining_forces

Override and return the Force class(es) you need to join.

.match?

Returns true if the cop name or the cop namespace matches any of the given names.

.new,
.requires_gem

Register a version requirement for the given gem name.

.restrict_on_send

::RuboCop::ExcludeLimit - Extended

exclude_limit

Sets up a configuration option to have an exclude limit tracked.

transform

Instance Attribute Summary

Instance Method Summary

::RuboCop::Cop::Base - Inherited

#add_global_offense

Adds an offense that has no particular location.

#add_offense

Adds an offense on the specified range (or node with an expression) Unless that offense is disabled for this range, a corrector will be yielded to provide the cop the opportunity to autocorrect the offense.

#begin_investigation

Called before any investigation.

#callbacks_needed,
#cop_config

Configuration Helpers.

#cop_name, #excluded_file?,
#external_dependency_checksum

This method should be overridden when a cop’s behavior depends on state that lives outside of these locations:

#inspect
#message

Gets called if no message is specified when calling add_offense or add_global_offense Cops are discouraged to override this; instead pass your message directly.

#name

Alias for Base#cop_name.

#offenses,
#on_investigation_end

Called after all on_…​

#on_new_investigation

Called before all on_…​

#on_other_file

Called instead of all on_…​

#parse

There should be very limited reasons for a Cop to do it’s own parsing.

#parser_engine,
#ready

Called between investigations.

#relevant_file?, #target_rails_version, #target_ruby_version, #annotate, #apply_correction, #attempt_correction,
#callback_argument

Reserved for Cop::Cop.

#complete_investigation

Called to complete an investigation.

#correct, #current_corrector,
#current_offense_locations

Reserved for Commissioner:

#current_offenses, #currently_disabled_lines, #custom_severity, #default_severity, #disable_uncorrectable, #enabled_line?, #file_name_matches_any?, #find_message, #find_severity, #range_for_original, #range_from_node_or_range,
#reset_investigation

Actually private methods.

#use_corrector

::RuboCop::Cop::AutocorrectLogic - Included

::RuboCop::Cop::IgnoredNode - Included

Constructor Details

This class inherits a constructor from RuboCop::Cop::Base

Instance Method Details

#composite_string?(node) ⇒ Boolean (private)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 75

def composite_string?(node)
  interpolated_string?(node) || concatenated_string?(node)
end

#concatenated_string?(node) ⇒ Boolean (private)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 83

def concatenated_string?(node)
  node.send_type? && node.method?(:+) && node.receiver.str_type?
end

#interpolated_string?(node) ⇒ Boolean (private)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 79

def interpolated_string?(node)
  node.dstr_type?
end

#on_send(node)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 46

def on_send(node)
  open?(node) do |receiver, code|
    return if safe?(code)

    message = format(MSG, receiver: receiver ? "#{receiver.source}." : 'Kernel#')
    add_offense(node.loc.selector, message: message)
  end
end

#open?(node)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 42

def_node_matcher :open?, <<~PATTERN
  (send ${nil? (const {nil? cbase} :URI)} :open $_ ...)
PATTERN

#safe?(node) ⇒ Boolean (private)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 57

def safe?(node)
  if simple_string?(node)
    safe_argument?(node.str_content)
  elsif composite_string?(node)
    safe?(node.children.first)
  else
    false
  end
end

#safe_argument?(argument) ⇒ Boolean (private)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 67

def safe_argument?(argument)
  !argument.empty? && !argument.start_with?('|')
end

#simple_string?(node) ⇒ Boolean (private)

[ GitHub ]

  
# File 'lib/rubocop/cop/security/open.rb', line 71

def simple_string?(node)
  node.str_type?
end