Security/CompoundHash
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Pending |
No |
No |
1.28 |
1.51 |
Checks for implementations of the hash
method which combine
values using custom logic instead of delegating to Array#hash
.
Manually combining hashes is error prone and hard to follow, especially
when there are many values. Poor implementations may also introduce
performance or security concerns if they are prone to collisions.
Delegating to Array#hash
is clearer and safer, although it might be slower
depending on the use case.
Safety
This cop may be unsafe if the application logic depends on the hash value, however this is inadvisable anyway.
Examples
# bad
def hash
@foo ^ @bar
end
# good
def hash
[@foo, @bar].hash
end
Security/Eval
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
Yes |
No |
0.47 |
- |
Checks for the use of Kernel#eval
and Binding#eval
.
Examples
# bad
eval(something)
binding.eval(something)
Security/IoMethods
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Pending |
No |
Always (Unsafe) |
1.22 |
- |
Checks for the first argument to IO.read
, IO.binread
, IO.write
, IO.binwrite
,
IO.foreach
, and IO.readlines
.
If argument starts with a pipe character ('|'
) and the receiver is the IO
class,
a subprocess is created in the same way as Kernel#open
, and its output is returned.
Kernel#open
may allow unintentional command injection, which is the reason these
IO
methods are a security risk.
Consider to use File.read
to disable the behavior of subprocess invocation.
Safety
This cop is unsafe because false positive will occur if the variable passed as the first argument is a command that is not a file path.
Examples
# bad
IO.read(path)
IO.read('path')
# good
File.read(path)
File.read('path')
IO.read('| command') # Allow intentional command invocation.
Security/JSONLoad
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
Yes |
Always (Unsafe) |
0.43 |
1.22 |
Checks for the use of JSON class methods which have potential security issues.
Safety
This cop’s autocorrection is unsafe because it’s potentially dangerous.
If using a stream, like JSON.load(open('file'))
, it will need to call
#read
manually, like JSON.parse(open('file').read)
.
If reading single values (rather than proper JSON objects), like
JSON.load('false')
, it will need to pass the quirks_mode: true
option, like JSON.parse('false', quirks_mode: true)
.
Other similar issues may apply.
Examples
# bad
JSON.load("{}")
JSON.restore("{}")
# good
JSON.parse("{}")
Security/MarshalLoad
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
Yes |
No |
0.47 |
- |
Checks for the use of Marshal class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Examples
# bad
Marshal.load("{}")
Marshal.restore("{}")
# good
Marshal.dump("{}")
# okish - deep copy hack
Marshal.load(Marshal.dump({}))
Security/Open
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
No |
No |
0.53 |
1.0 |
Checks for the use of Kernel#open
and URI.open
with dynamic
data.
Kernel#open
and URI.open
enable not only file access but also process
invocation by prefixing a pipe symbol (e.g., open("| ls")
).
So, it may lead to a serious security risk by using variable input to
the argument of Kernel#open
and URI.open
. It would be better to use
File.open
, IO.popen
or URI.parse#open
explicitly.
Note
|
open and URI.open with literal strings are not flagged by this
cop.
|
Safety
This cop could register false positives if open
is redefined
in a class and then used without a receiver in that class.
Examples
# bad
open(something)
open("| #{something}")
open("| foo")
URI.open(something)
# good
File.open(something)
IO.popen(something)
URI.parse(something).open
# good (literal strings)
open("foo.text")
URI.open("http://example.com")
Security/YAMLLoad
Note
|
Requires Ruby version ⇐ 3.0 |
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
Yes |
Always (Unsafe) |
0.47 |
- |
Checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Note
|
Ruby 3.1+ (Psych 4) uses Psych.load as Psych.safe_load by default.
|
Safety
The behavior of the code might change depending on what was
in the YAML payload, since YAML.safe_load
is more restrictive.
Examples
# bad
YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default
# good
YAML.safe_load("--- !ruby/object:Foo {}", [Foo]) # Ruby 2.5 (Psych 3)
YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
YAML.dump(foo)