DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Ruby

Ruby

Made by DeepSource
Use Analyzer

Audit: Calls to methods in IO class must be avoided RB-A1012

Security
Critical
 cwe-78

Calls to methods in the IO class must be avoided unless a command needs to be invoked intentionally.

If the argument starts with a pipe character ('|') and the receiver is the IO class, a subprocess is created in the same way as Kernel#open, and its output is returned. Kernel#open may allow unintentional command injection, which is the reason these IO methods are a security risk. Consider using File.read to protect yourself against the unintended subprocess invocation.

Bad practice

IO.read(path)
IO.read('path')

Recommended

File.read(path)
File.read('path')
IO.read('| command') # Allow intentional command invocation.

References

  1. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')