Ruby

Ruby

By DeepSource

Audit: Calls to methods in IO class must be avoided RB-A1012

Security

Calls to methods in the IO class must be avoided unless a command needs to be invoked intentionally.

If the argument starts with a pipe character ('|') and the receiver is the IO class, a subprocess is created in the same way as Kernel#open, and its output is returned. Kernel#open may allow unintentional command injection, which is the reason these IO methods are a security risk. Consider using File.read to protect yourself against the unintended subprocess invocation.

Bad practice

IO.read(path)
IO.read('path')

Recommended

File.read(path)
File.read('path')
IO.read('| command') # Allow intentional command invocation.

References

  1. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')