Add new Security/IoMethods cop
#10102
Merged
+155
−1
Commits on Sep 28, 2021
-
Add new
Security/IoMethodscop## Summary Follow up to rubocop#9695 (comment). This PR adds new `Security/IoMethods` cop. It checks for the first argument to `IO.read`, `IO.binread`, `IO.write`, `IO.binwrite`, `IO.foreach`, and `IO.readlines`. If argument starts with a pipe character (`'|'`) and the receiver is the `IO` class, a subprocess is created in the same way as `Kernel#open`, and its output is returned. Consider to use `File.read` to disable the behavior of subprocess invocation. This cop is unsafe because false positive will occur if the variable passed as the first argument is a command that is not a file path. ```ruby # bad IO.read(path) IO.read('path') # good File.read(path) File.read('path') IO.read('| command') # Allow intentional command invocation. ``` ## Other Information Below are links related to this cop. - rubygems/rubygems#4530 - ruby/ruby#4579
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.