Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled | Yes | No | 0.47 | - |
This cop checks for the use of Kernel#eval
and Binding#eval
.
# bad
eval(something)
binding.eval(something)
Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled | Yes | Yes (Unsafe) | 0.43 | 0.44 |
This cop checks for the use of JSON class methods which have potential security issues.
Autocorrect is disabled by default because it's potentially dangerous.
If using a stream, like JSON.load(open('file'))
, it will need to call
#read
manually, like JSON.parse(open('file').read)
.
If reading single values (rather than proper JSON objects), like
JSON.load('false')
, it will need to pass the quirks_mode: true
option, like JSON.parse('false', quirks_mode: true)
.
Other similar issues may apply.
# bad
JSON.load("{}")
JSON.restore("{}")
# good
JSON.parse("{}")
Name | Default value | Configurable values |
---|---|---|
AutoCorrect | false |
Boolean |
Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled | Yes | No | 0.47 | - |
This cop checks for the use of Marshal class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
# bad
Marshal.load("{}")
Marshal.restore("{}")
# good
Marshal.dump("{}")
# okish - deep copy hack
Marshal.load(Marshal.dump({}))
Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled | No | No | 0.53 | - |
This cop checks for the use of Kernel#open
.
Kernel#open
enables not only file access but also process invocation
by prefixing a pipe symbol (e.g., open("| ls")
). So, it may lead to
a serious security risk by using variable input to the argument of
Kernel#open
. It would be better to use File.open
, IO.popen
or
URI#open
explicitly.
# bad
open(something)
# good
File.open(something)
IO.popen(something)
URI.parse(something).open
Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled | Yes | Yes (Unsafe) | 0.47 | - |
This cop checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
# bad
YAML.load("--- foo")
# good
YAML.safe_load("--- foo")
YAML.dump("foo")