From d96c4dfd2a6fde439677d609ecf024227e2bd2fd Mon Sep 17 00:00:00 2001 From: Geremia Taglialatela Date: Sun, 7 Apr 2024 10:37:04 +0200 Subject: [PATCH] Use File.read instead of IO.read If argument starts with a pipe character (`'|'`) and the receiver is the `IO` class, a subprocess is created in the same way as `Kernel#open`, and its output is returned. `Kernel#open` may allow unintentional command injection, which is the reason these `IO` methods are a security risk. Consider to use `File.read` to disable the behavior of subprocess invocation. Ref: https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/IoMethods --- CHANGELOG.md | 2 ++ lib/css_parser/parser.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d1631c0..6aea361 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ### Unreleased + * Improve security by using `File.read` instead of `IO.read` [#148](https://github.com/premailer/css_parser/pull/148) + ### Version v1.17.0 * Added `user_agent` as an option to Parser [#146](https://github.com/premailer/css_parser/pull/146) diff --git a/lib/css_parser/parser.rb b/lib/css_parser/parser.rb index 8c9d34a..b5e203a 100644 --- a/lib/css_parser/parser.rb +++ b/lib/css_parser/parser.rb @@ -486,7 +486,7 @@ def load_file!(file_name, options = {}, deprecated = nil) return unless File.readable?(file_name) return unless circular_reference_check(file_name) - src = IO.read(file_name) + src = File.read(file_name) opts[:filename] = file_name if opts[:capture_offsets] opts[:base_dir] = File.dirname(file_name)