Security
Security/CompoundHash
| Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
|---|---|---|---|---|
Pending |
No |
No |
1.28 |
1.51 |
Checks for implementations of the hash method which combine
values using custom logic instead of delegating to Array#hash.
Manually combining hashes is error prone and hard to follow, especially
when there are many values. Poor implementations may also introduce
performance or security concerns if they are prone to collisions.
Delegating to Array#hash is clearer and safer, although it might be slower
depending on the use case.
Security/IoMethods
| Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
|---|---|---|---|---|
Pending |
No |
Always (Unsafe) |
1.22 |
- |
Checks for the first argument to IO.read, IO.binread, IO.write, IO.binwrite,
IO.foreach, and IO.readlines.
If argument starts with a pipe character ('|') and the receiver is the IO class,
a subprocess is created in the same way as Kernel#open, and its output is returned.
Kernel#open may allow unintentional command injection, which is the reason these
IO methods are a security risk.
Consider to use File.read to disable the behavior of subprocess invocation.
Security/JSONLoad
| Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
|---|---|---|---|---|
Enabled |
Yes |
Always (Unsafe) |
0.43 |
1.22 |
Checks for the use of JSON class methods which have potential security issues.
Safety
This cop’s autocorrection is unsafe because it’s potentially dangerous.
If using a stream, like JSON.load(open('file')), it will need to call
#read manually, like JSON.parse(open('file').read).
If reading single values (rather than proper JSON objects), like
JSON.load('false'), it will need to pass the quirks_mode: true
option, like JSON.parse('false', quirks_mode: true).
Other similar issues may apply.
Security/MarshalLoad
| Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
|---|---|---|---|---|
Enabled |
Yes |
No |
0.47 |
- |
Checks for the use of Marshal class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Security/Open
| Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
|---|---|---|---|---|
Enabled |
No |
No |
0.53 |
1.0 |
Checks for the use of Kernel#open and URI.open with dynamic
data.
Kernel#open and URI.open enable not only file access but also process
invocation by prefixing a pipe symbol (e.g., open("| ls")).
So, it may lead to a serious security risk by using variable input to
the argument of Kernel#open and URI.open. It would be better to use
File.open, IO.popen or URI.parse#open explicitly.
open and URI.open with literal strings are not flagged by this
cop.
|
Security/YAMLLoad
| Enabled by default | Safe | Supports autocorrection | Version Added | Version Changed |
|---|---|---|---|---|
Enabled |
Yes |
Always (Unsafe) |
0.47 |
- |
Checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Ruby 3.1+ (Psych 4) uses Psych.load as Psych.safe_load by default.
|
Safety
The behavior of the code might change depending on what was
in the YAML payload, since YAML.safe_load is more restrictive.
Examples
# bad
YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default
# good
YAML.safe_load("--- !ruby/object:Foo {}", [Foo]) # Ruby 2.5 (Psych 3)
YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
YAML.dump(foo)