IO.read or similar sinks with a non-constant value¶
ID: rb/non-constant-kernel-open Kind: problem Severity: warning Precision: high Tags: - correctness - security - external/cwe/cwe-078 - external/cwe/cwe-088 - external/cwe/cwe-073 Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Kernel.open is given a file name that starts with a
| character, it will execute the remaining string as a shell command. If a malicious user can control the file name, they can execute arbitrary code. The same vulnerability applies to
File.open instead of
Kernel.open, as the former does not have this vulnerability. Similarly, use the methods from the
File class instead of the
IO class e.g.
File.read instead of
URI(..).open or an HTTP Client.
The following example shows code that calls
Kernel.open on a user-supplied file path.
class UsersController < ActionController::Base def create filename = params[:filename] open(filename) # BAD end end
File.open should be used, as in the following example.
class UsersController < ActionController::Base def create filename = params[:filename] File.open(filename) end end