Security
Security/CompoundHash
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Pending |
Yes |
No |
1.28 |
- |
Checks for implementations of the hash
method which combine
values using custom logic instead of delegating to Array#hash
.
Manually combining hashes is error prone and hard to follow, especially
when there are many values. Poor implementations may also introduce
performance or security concerns if they are prone to collisions.
Delegating to Array#hash
is clearer, faster, and safer.
Security/IoMethods
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Pending |
No |
Yes (Unsafe) |
1.22 |
- |
Checks for the first argument to IO.read
, IO.binread
, IO.write
, IO.binwrite
,
IO.foreach
, and IO.readlines
.
If argument starts with a pipe character ('|'
) and the receiver is the IO
class,
a subprocess is created in the same way as Kernel#open
, and its output is returned.
Kernel#open
may allow unintentional command injection, which is the reason these
IO
methods are a security risk.
Consider to use File.read
to disable the behavior of subprocess invocation.
Security/JSONLoad
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
Yes |
Yes (Unsafe) |
0.43 |
1.22 |
Checks for the use of JSON class methods which have potential security issues.
Safety
This cop’s autocorrection is unsafe because it’s potentially dangerous.
If using a stream, like JSON.load(open('file'))
, it will need to call
#read
manually, like JSON.parse(open('file').read)
.
If reading single values (rather than proper JSON objects), like
JSON.load('false')
, it will need to pass the quirks_mode: true
option, like JSON.parse('false', quirks_mode: true)
.
Other similar issues may apply.
Security/MarshalLoad
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
Yes |
No |
0.47 |
- |
Checks for the use of Marshal class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Security/Open
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
No |
No |
0.53 |
1.0 |
Checks for the use of Kernel#open
and URI.open
with dynamic
data.
Kernel#open
and URI.open
enable not only file access but also process
invocation by prefixing a pipe symbol (e.g., open("| ls")
).
So, it may lead to a serious security risk by using variable input to
the argument of Kernel#open
and URI.open
. It would be better to use
File.open
, IO.popen
or URI.parse#open
explicitly.
open and URI.open with literal strings are not flagged by this
cop.
|
Security/YAMLLoad
Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
---|---|---|---|---|
Enabled |
Yes |
Yes (Unsafe) |
0.47 |
- |
Checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Ruby 3.1+ (Psych 4) uses Psych.load as Psych.safe_load by default.
|
Safety
The behavior of the code might change depending on what was
in the YAML payload, since YAML.safe_load
is more restrictive.
Examples
# bad
YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default
# good
YAML.safe_load("--- !ruby/object:Foo {}", [Foo]) # Ruby 2.5 (Psych 3)
YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
YAML.dump(foo)