Skip to content

Commit 6420755

Browse files
Merge pull request #645 from puppetlabs/CAT-2637
(CAT-2637) Enable Security/Open and Security/IoMethods cops
2 parents 78ba74e + b96aba3 commit 6420755

2 files changed

Lines changed: 13 additions & 0 deletions

File tree

README.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -251,6 +251,17 @@ In this example the automated release prep workflow is triggered every Saturday
251251
|cleanup\_cops |Defines a set of cleanup cops to then be included within a rubocop profile. Cops are defined by their full name, and further configuration can be done by specifying secondary keys. By default we specify a large amount of cleanup cops using their default configuration.|
252252
|profiles |Defines the profiles that can be enabled and used within rubocop through the `selected_profile` option. By default we have set up three profiles: cleanups\_only, strict, hardcore and off.|
253253

254+
#### Puppet 9 subprocess-creation detection
255+
256+
The `strict` profile enables two security cops that flag the pipe-based subprocess creation removed in Ruby 4.0 (which ships with Puppet 9). See [Ruby #19630](https://bugs.ruby-lang.org/issues/19630).
257+
258+
| Cop | Flags | Recommended replacement |
259+
| :-- | :---- | :---------------------- |
260+
| `Security/Open` | `open(...)` / `URI.open(...)` with a pipe argument (`open("\| cmd")`) or a dynamic argument (`open(var)`). Literal file paths such as `open("foo.txt")` are not flagged. | `File.open`, `IO.popen`, or `URI.parse(...).open` |
261+
| `Security/IoMethods` | `IO.read` / `IO.write` / `IO.binread` / `IO.binwrite` / `IO.foreach` / `IO.readlines` used for file access (e.g. `IO.read("foo.txt")`). | `File.read`, `File.write`, etc. (autocorrectable) |
262+
263+
Known gaps (not statically detectable, so not flagged): the explicit-receiver `Kernel.open(...)` form, and the deliberate `IO.read("| cmd")` pipe-subprocess form (intentionally allowed by `Security/IoMethods`). Both cops are overridable per module through `.sync.yml`.
264+
254265
### Gemfile
255266

256267
>A Gemfile is a file we create which is used for describing gem dependencies for Ruby programs. All modules should have an associated Gemfile for installing the relevant gems. As development and testing is somewhat consistant between modules we have used the template to define a set of gems relevant to these processes.

config_defaults.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -452,7 +452,9 @@ Rakefile:
452452
RSpec/SubjectStub:
453453
RSpec/VerifiedDoubles:
454454
Security/Eval:
455+
Security/IoMethods:
455456
Security/MarshalLoad:
457+
Security/Open:
456458
Naming/AsciiIdentifiers:
457459
Style/BeginBlock:
458460
Style/CaseEquality:

0 commit comments

Comments
 (0)