CodeQL documentation

Use of or or similar sinks with a non-constant value

ID: rb/non-constant-kernel-open
Kind: problem
Security severity: 6.5
Severity: warning
Precision: high
   - correctness
   - security
   - external/cwe/cwe-078
   - external/cwe/cwe-088
   - external/cwe/cwe-073
Query suites:
   - ruby-code-scanning.qls
   - ruby-security-extended.qls
   - ruby-security-and-quality.qls

Click to see the query in the CodeQL repository

If is given a file name that starts with a | character, it will execute the remaining string as a shell command. If a malicious user can control the file name, they can execute arbitrary code. The same vulnerability applies to, IO.write, IO.binread, IO.binwrite, IO.foreach, IO.readlines and


Use instead of, as the former does not have this vulnerability. Similarly, use the methods from the File class instead of the IO class e.g. instead of

Instead of use URI(..).open or an HTTP Client.


The following example shows code that calls on a user-supplied file path.

require "open-uri"

class UsersController < ActionController::Base
  def create
    filename = params[:filename]
    open(filename) # BAD

    web_page = params[:web_page] # BAD - calls `` internally

Instead, should be used, as in the following example.

class UsersController < ActionController::Base
  def create
    filename = params[:filename]

    web_page = params[:web_page]


  • © GitHub, Inc.
  • Terms
  • Privacy