(PUP-11772) Resolve Security cops main #9159
Merged
Commits on Nov 21, 2023
-
(PUP-11772) Resolve Security/Open
When opening a file path, use File.open When opening a URL, use URI.parse(..).open The Windows package class includes our Registry module which defines `open`. Use the fully qualified name to avoid rubocop confusion.
-
(PUP-11772) Resolve Security/Eval
Both actions and functions/data types already define arbitrary code and are loaded from trusted locations, so using eval isn't any worse. I updated the ActionBuilder to delegate specific methods to the action. For example, if an action calls the DSL method `summary "something"`, then the ActionBuilder will call the corresponding setter on the Action, e.g. Action#summary = "something". The Action code is bit more complicated because the arity of the block passed to `when_invoked=` may be 0, positive or negative, depending on whether it accepts optional arguments. Since we don't support Ruby 1.8 - 2.6, it could be improved in the future to not call `eval`, but I didn't feel like bothering.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.