Security
Security/JSONLoad
Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled |
Yes |
Yes (Unsafe) |
0.43 |
0.44 |
This cop checks for the use of JSON class methods which have potential security issues.
Autocorrect is disabled by default because it’s potentially dangerous.
If using a stream, like JSON.load(open('file'))
, it will need to call
#read
manually, like JSON.parse(open('file').read)
.
If reading single values (rather than proper JSON objects), like
JSON.load('false')
, it will need to pass the quirks_mode: true
option, like JSON.parse('false', quirks_mode: true)
.
Other similar issues may apply.
Security/MarshalLoad
Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled |
Yes |
No |
0.47 |
- |
This cop checks for the use of Marshal class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Security/Open
Enabled by default | Safe | Supports autocorrection | VersionAdded | VersionChanged |
---|---|---|---|---|
Enabled |
No |
No |
0.53 |
- |
This cop checks for the use of Kernel#open
.
Kernel#open
enables not only file access but also process invocation
by prefixing a pipe symbol (e.g., open("| ls")
). So, it may lead to
a serious security risk by using variable input to the argument of
Kernel#open
. It would be better to use File.open
, IO.popen
or
URI#open
explicitly.