Security

Security/Eval

Enabled by default Supports autocorrection
Enabled No

This cop checks for the use of Kernel#eval and Binding#eval.

Examples

# bad

eval(something)
binding.eval(something)

Security/JSONLoad

Enabled by default Supports autocorrection
Enabled Yes

This cop checks for the use of JSON class methods which have potential security issues.

Autocorrect is disabled by default because it's potentially dangerous. If using a stream, like JSON.load(open('file')), it will need to call #read manually, like JSON.parse(open('file').read). If reading single values (rather than proper JSON objects), like JSON.load('false'), it will need to pass the quirks_mode: true option, like JSON.parse('false', quirks_mode: true). Other similar issues may apply.

Examples

# always offense
JSON.load("{}")
JSON.restore("{}")

# no offense
JSON.parse("{}")

Configurable attributes

Name Default value Configurable values
AutoCorrect false Boolean

References

Security/MarshalLoad

Enabled by default Supports autocorrection
Enabled No

This cop checks for the use of Marshal class methods which have potential security issues leading to remote code execution when loading from an untrusted source.

Examples

# bad
Marshal.load("{}")
Marshal.restore("{}")

# good
Marshal.dump("{}")

# okish - deep copy hack
Marshal.load(Marshal.dump({}))

References

Security/YAMLLoad

Enabled by default Supports autocorrection
Enabled Yes

This cop checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.

Examples

# bad
YAML.load("--- foo")

# good
YAML.safe_load("--- foo")
YAML.dump("foo")

References