If argument starts with a pipe character ('|') and the receiver is the IO class, a subprocess is created in the same way as Kernel#open, and its output is returned. Kernel#open may allow unintentional command injection, which is the reason these IO methods are a security risk. Consider to use File.read to disable the behavior of subprocess invocation.
If argument starts with a pipe character (
'|'
) and the receiver is theIO
class, a subprocess is created in the same way asKernel#open
, and its output is returned.Kernel#open
may allow unintentional command injection, which is the reason theseIO
methods are a security risk. Consider to useFile.read
to disable the behavior of subprocess invocation.Ref: https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/IoMethods
Why and what is being done.
Pre-Merge Checklist