Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use File.read instead of IO.read #149

Merged
merged 1 commit into from Apr 7, 2024
Merged

Use File.read instead of IO.read #149

merged 1 commit into from Apr 7, 2024

Conversation

tagliala
Copy link
Contributor

@tagliala tagliala commented Apr 7, 2024

If argument starts with a pipe character ('|') and the receiver is the IO class, a subprocess is created in the same way as Kernel#open, and its output is returned. Kernel#open may allow unintentional command injection, which is the reason these IO methods are a security risk. Consider to use File.read to disable the behavior of subprocess invocation.

Ref: https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/IoMethods

Why and what is being done.

Pre-Merge Checklist

  • CHANGELOG.md updated with short summary

@tagliala
Use File.read instead of IO.read
d96c4df 
If argument starts with a pipe character (`'|'`) and the receiver is
the `IO` class, a subprocess is created in the same way as
`Kernel#open`, and its output is returned. `Kernel#open` may allow
unintentional command injection, which is the reason these `IO` methods
are a security risk. Consider to use `File.read` to disable the
behavior of subprocess invocation.

Ref: https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/IoMethods
@grosser
Copy link
Contributor

grosser commented Apr 7, 2024

nice find!

@grosser grosser merged commit 816c2e0 into premailer:master Apr 7, 2024
6 checks passed
@grosser
Copy link
Contributor

grosser commented Apr 7, 2024

1.17.1

@tagliala tagliala deleted the security/use-file-read branch April 7, 2024 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tagliala @grosser