Untrusted Open High

Opening a non-static file, may result in user-data controlling the program. This leaves the program vulnerable to running and processing malicious commands/data.

Detector ID
ruby/untrusted-file-open@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-

Compliant example

1filename = "testfile"
2# Compliant: File being opened is static.
3open(filename) do |f|
4  print f.gets
5end

Noncompliant example

1
2# Noncompliant: User-input directly controls which file is opened.
3cmd = open("|%s" % params[:file)
4print cmd.gets
5cmd.close