Security

Security/Eval

Enabled by default Safe Supports autocorrection VersionAdded VersionChanged

Enabled

Yes

No

0.47

-

This cop checks for the use of Kernel#eval and Binding#eval.

Examples

# bad

eval(something)
binding.eval(something)

Security/JSONLoad

Enabled by default Safe Supports autocorrection VersionAdded VersionChanged

Enabled

Yes

Yes (Unsafe)

0.43

0.44

This cop checks for the use of JSON class methods which have potential security issues.

Autocorrect is disabled by default because it’s potentially dangerous. If using a stream, like JSON.load(open('file')), it will need to call #read manually, like JSON.parse(open('file').read). If reading single values (rather than proper JSON objects), like JSON.load('false'), it will need to pass the quirks_mode: true option, like JSON.parse('false', quirks_mode: true). Other similar issues may apply.

Examples

# bad
JSON.load("{}")
JSON.restore("{}")

# good
JSON.parse("{}")

Configurable attributes

Name Default value Configurable values

AutoCorrect

false

Boolean

Security/MarshalLoad

Enabled by default Safe Supports autocorrection VersionAdded VersionChanged

Enabled

Yes

No

0.47

-

This cop checks for the use of Marshal class methods which have potential security issues leading to remote code execution when loading from an untrusted source.

Examples

# bad
Marshal.load("{}")
Marshal.restore("{}")

# good
Marshal.dump("{}")

# okish - deep copy hack
Marshal.load(Marshal.dump({}))

Security/Open

Enabled by default Safe Supports autocorrection VersionAdded VersionChanged

Enabled

No

No

0.53

1.0

This cop checks for the use of Kernel#open and URI.open.

Kernel#open and URI.open enable not only file access but also process invocation by prefixing a pipe symbol (e.g., open("| ls")). So, it may lead to a serious security risk by using variable input to the argument of Kernel#open and URI.open. It would be better to use File.open, IO.popen or URI.parse#open explicitly.

Examples

# bad
open(something)
URI.open(something)

# good
File.open(something)
IO.popen(something)
URI.parse(something).open

Security/YAMLLoad

Enabled by default Safe Supports autocorrection VersionAdded VersionChanged

Enabled

Yes

Yes (Unsafe)

0.47

-

This cop checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.

Examples

# bad
YAML.load("--- foo")

# good
YAML.safe_load("--- foo")
YAML.dump("foo")