By DeepSource

Audit: Calls to methods in IO class must be avoided RB-A1012


Calls to methods in the IO class must be avoided unless a command needs to be invoked intentionally.

If the argument starts with a pipe character ('|') and the receiver is the IO class, a subprocess is created in the same way as Kernel#open, and its output is returned. Kernel#open may allow unintentional command injection, which is the reason these IO methods are a security risk. Consider using to protect yourself against the unintended subprocess invocation.

Bad practice'path')

Recommended'path')'| command') # Allow intentional command invocation.


  1. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')