Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new Security/IoMethods cop #10102

Merged
merged 1 commit into from Sep 28, 2021
Merged

Add new Security/IoMethods cop #10102

merged 1 commit into from Sep 28, 2021

Conversation

koic
Copy link
Member

@koic koic commented Sep 20, 2021
edited

Summary

Follow up to #9695 (comment).

This PR adds new Security/IoMethods cop.

It checks for the first argument to IO.read, IO.binread, IO.write, IO.binwrite, IO.foreach, and IO.readlines.

If argument starts with a pipe character ('|') and the receiver is the IO class, a subprocess is created in the same way as Kernel#open, and its output is returned.
Consider to use File.read to disable the behavior of subprocess invocation.

This cop is unsafe because false positive will occur if the variable passed as the first argument is a command that is not a file path.

# bad
IO.read(path)
IO.read('path')

# good
File.read(path)
File.read('path')
IO.read('| command') # Allow intentional command invocation.

Other Information

Below are links related to this cop.

Before submitting the PR make sure the following are checked:

  • The PR relates to only one subject with a clear title and description in grammatically correct, complete sentences.
  • Wrote good commit messages.
  • Commit message starts with [Fix #issue-number] (if the related issue exists).
  • Feature branch is up-to-date with master (if not - rebase it).
  • Squashed related commits together.
  • Added tests.
  • Ran bundle exec rake default. It executes all tests and runs RuboCop on its own code.
  • Added an entry (file) to the changelog folder named {change_type}_{change_description}.md if the new code introduces user-observable changes. See changelog entry format for details.

@koic koic force-pushed the add_new_security_io_read_cop branch from 211382c to 6112012 Compare September 20, 2021 16:18
@koic koic force-pushed the add_new_security_io_read_cop branch from 6112012 to 9ac620a Compare September 21, 2021 02:00
@bbatsov
Copy link
Collaborator

bbatsov commented Sep 22, 2021

The cop name is a bit misleading, as it checks for some writes as well. I'm not sure if IoMethods is not a better name, or just something more generic.

bbatsov
bbatsov reviewed Sep 22, 2021
View reviewed changes
lib/rubocop/cop/security/io_read.rb Outdated
# Checks for the first argument to `IO.read`, `IO.binread`, `IO.write`, `IO.binwrite`,
# `IO.foreach`, and `IO.readlines`.
#
# If argument starts with a pipe character (`'|'`) and the receiver is the `IO` class,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably you should mention somewhere that Kernel#open may allow unintentional command injection, which is the reason IO methods are a security risk.

@bbatsov
Copy link
Collaborator

bbatsov commented Sep 28, 2021

@koic ping :-)

@koic koic force-pushed the add_new_security_io_read_cop branch 2 times, most recently from eb1f041 to de050bd Compare September 28, 2021 06:25
@koic koic changed the title Add new Security/IoRead cop Add new Security/IoMethods cop Sep 28, 2021
@koic
Add new Security/IoMethods cop
a88c43c 
## Summary

Follow up to rubocop#9695 (comment).

This PR adds new `Security/IoMethods` cop.

It checks for the first argument to `IO.read`, `IO.binread`, `IO.write`, `IO.binwrite`,
`IO.foreach`, and `IO.readlines`.

If argument starts with a pipe character (`'|'`) and the receiver is the `IO` class,
a subprocess is created in the same way as `Kernel#open`, and its output is returned.
Consider to use `File.read` to disable the behavior of subprocess invocation.

This cop is unsafe because false positive will occur if the variable passed as
the first argument is a command that is not a file path.

```ruby
# bad
IO.read(path)
IO.read('path')

# good
File.read(path)
File.read('path')
IO.read('| command') # Allow intentional command invocation.
```

## Other Information

Below are links related to this cop.

- rubygems/rubygems#4530
- ruby/ruby#4579
@koic koic force-pushed the add_new_security_io_read_cop branch from de050bd to a88c43c Compare September 28, 2021 06:40
@bbatsov bbatsov merged commit 6ae8d95 into rubocop:master Sep 28, 2021
@bbatsov
Copy link
Collaborator

bbatsov commented Sep 28, 2021

Thanks!

@koic koic deleted the add_new_security_io_read_cop branch September 28, 2021 07:34
@koic
Copy link
Member Author

koic commented Sep 28, 2021

Thank you too!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dvandersluis dvandersluis dvandersluis left review comments

@bbatsov bbatsov bbatsov left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@koic @bbatsov @dvandersluis