Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Security/Open aware of URI.open #8894

Merged
merged 1 commit into from Oct 16, 2020
Merged

Make Security/Open aware of URI.open #8894

merged 1 commit into from Oct 16, 2020

Conversation

koic
Copy link
Member

@koic koic commented Oct 15, 2020

This PR makes Security/Open aware of URI.open and tweaks the doc.
URI.open has the same security risk as Kernel#open.

Kernel#open

% ruby -ve "p open('| ls').read"
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin19]
"CHANGELOG.md\nCODE_OF_CONDUCT.md\nCONTRIBUTING.md\n...

URI.open

% ruby -ropen-uri -ve "p URI.open('| ls').read"
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin19]
"CHANGELOG.md\nCODE_OF_CONDUCT.md\nCONTRIBUTING.md\n...

I got this issue feedback from @amatsuda. Thank you!

Before submitting the PR make sure the following are checked:

  • Wrote good commit messages.
  • Commit message starts with [Fix #issue-number] (if the related issue exists).
  • Feature branch is up-to-date with master (if not - rebase it).
  • Squashed related commits together.
  • Added tests.
  • Added an entry to the Changelog if the new code introduces user-observable changes. See changelog entry format.
  • The PR relates to only one subject with a clear title and description in grammatically correct, complete sentences.
  • Run bundle exec rake default. It executes all tests and RuboCop for itself, and generates the documentation.

bbatsov
bbatsov approved these changes Oct 16, 2020
View reviewed changes
Copy link
Collaborator

@bbatsov bbatsov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@koic
Make Security/Open aware of URI.open
7da3629 
This PR makes `Security/Open` aware of `URI.open` and
tweaks the doc.
`URI.open` has the same security risk as `Kernel#open`.

## `Kernel#open`

```console
% ruby -ve "p open('| ls').read"
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin19]
"CHANGELOG.md\nCODE_OF_CONDUCT.md\nCONTRIBUTING.md\n...
```

## `URI.open`

```console
% ruby -ropen-uri -ve "p URI.open('| ls').read"
ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [x86_64-darwin19]
"CHANGELOG.md\nCODE_OF_CONDUCT.md\nCONTRIBUTING.md\n...
```
@koic koic force-pushed the fix_a_false_negative_for_security_open branch from 7512dcd to 7da3629 Compare October 16, 2020 16:12
@koic koic merged commit be8b179 into rubocop:master Oct 16, 2020
@koic koic deleted the fix_a_false_negative_for_security_open branch October 16, 2020 16:25
@amatsuda
Copy link
Contributor

@koic Thanks for resolving this!

@koic
Copy link
Member Author

koic commented Oct 16, 2020

@amatsuda Thank you for pointing out the issue!

koic added a commit that referenced this pull request Oct 17, 2020
@koic
Fix VersionChanged for Security/Open
03cab7a 
Follow #8894.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bbatsov bbatsov bbatsov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@koic @amatsuda @bbatsov