IO
class must be avoided RB-A1012File.read
is safer than IO.read
.35 # Domains should now be added
36 get :export, params: { format: :csv }
37 expect(response).to have_http_status(200)
38 expect(response.body).to eq(IO.read(File.join(file_fixture_path, 'domain_blocks.csv')))39 end
40
41 it 'blocks imported domains with only domains csv' do
File.read
is safer than IO.read
.16
17 get :export, params: { format: :csv }
18 expect(response).to have_http_status(200)
19 expect(response.body).to eq(IO.read(File.join(file_fixture_path, 'domain_blocks.csv')))20 end
21 end
22
File.read
is safer than IO.read
.30 # Domains should now be added
31 get :export, params: { format: :csv }
32 expect(response).to have_http_status(200)
33 expect(response.body).to eq(IO.read(File.join(file_fixture_path, 'domain_allows.csv')))34 end
35
36 it 'displays error on no file selected' do
File.read
is safer than IO.read
.14
15 get :export, params: { format: :csv }
16 expect(response).to have_http_status(200)
17 expect(response.body).to eq(IO.read(File.join(file_fixture_path, 'domain_allows.csv')))18 end
19 end
20
Calls to methods in the IO
class must be avoided unless a command needs to be invoked intentionally.
If the argument starts with a pipe character ('|'
) and the receiver is the IO
class, a subprocess is created in the same way as Kernel#open
, and its output is returned. Kernel#open
may allow unintentional command injection, which is the reason these IO
methods are a security risk. Consider using File.read
to protect yourself against the unintended subprocess invocation.
IO.read(path)
IO.read('path')
File.read(path)
File.read('path')
IO.read('| command') # Allow intentional command invocation.