| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  | # frozen_string_literal: true | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | require "rubocops/io_read" | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-02-18 15:11:11 -08:00
										 |  |  | RSpec.describe RuboCop::Cop::Homebrew::IORead do | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |   subject(:cop) { described_class.new } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "reports an offense when `IO.read` is used with a pipe character" do | 
					
						
							|  |  |  |     expect_offense(<<~RUBY) | 
					
						
							|  |  |  |       IO.read("|echo test") | 
					
						
							| 
									
										
										
										
											2023-04-07 17:16:48 +01:00
										 |  |  |       ^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk. | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "does not report an offense when `IO.read` is used without a pipe character" do | 
					
						
							|  |  |  |     expect_no_offenses(<<~RUBY) | 
					
						
							|  |  |  |       IO.read("file.txt") | 
					
						
							|  |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "reports an offense when `IO.read` is used with untrustworthy input" do | 
					
						
							|  |  |  |     expect_offense(<<~RUBY) | 
					
						
							|  |  |  |       input = "input value from an unknown source" | 
					
						
							|  |  |  |       IO.read(input) | 
					
						
							| 
									
										
										
										
											2023-04-07 17:16:48 +01:00
										 |  |  |       ^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk. | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "reports an offense when `IO.read` is used with a dynamic string starting with a pipe character" do | 
					
						
							|  |  |  |     expect_offense(<<~'RUBY') | 
					
						
							|  |  |  |       input = "test" | 
					
						
							|  |  |  |       IO.read("|echo #{input}") | 
					
						
							| 
									
										
										
										
											2023-04-07 17:16:48 +01:00
										 |  |  |       ^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk. | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "reports an offense when `IO.read` is used with a dynamic string at the start" do | 
					
						
							|  |  |  |     expect_offense(<<~'RUBY') | 
					
						
							|  |  |  |       input = "|echo test" | 
					
						
							|  |  |  |       IO.read("#{input}.txt") | 
					
						
							| 
									
										
										
										
											2023-04-07 17:16:48 +01:00
										 |  |  |       ^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk. | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "does not report an offense when `IO.read` is used with a dynamic string safely" do | 
					
						
							|  |  |  |     expect_no_offenses(<<~'RUBY') | 
					
						
							|  |  |  |       input = "test" | 
					
						
							|  |  |  |       IO.read("somefile#{input}.txt") | 
					
						
							|  |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "reports an offense when `IO.read` is used with a concatenated string starting with a pipe character" do | 
					
						
							| 
									
										
										
										
											2023-02-10 08:59:51 +00:00
										 |  |  |     expect_offense(<<~RUBY) | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |       input = "|echo test" | 
					
						
							|  |  |  |       IO.read("|echo " + input) | 
					
						
							| 
									
										
										
										
											2023-04-07 17:16:48 +01:00
										 |  |  |       ^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk. | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "reports an offense when `IO.read` is used with a concatenated string starting with untrustworthy input" do | 
					
						
							| 
									
										
										
										
											2023-02-10 08:59:51 +00:00
										 |  |  |     expect_offense(<<~RUBY) | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |       input = "|echo test" | 
					
						
							|  |  |  |       IO.read(input + ".txt") | 
					
						
							| 
									
										
										
										
											2023-04-07 17:16:48 +01:00
										 |  |  |       ^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk. | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  |   it "does not report an offense when `IO.read` is used with a concatenated string safely" do | 
					
						
							| 
									
										
										
										
											2023-02-10 08:59:51 +00:00
										 |  |  |     expect_no_offenses(<<~RUBY) | 
					
						
							| 
									
										
										
										
											2021-04-14 16:08:37 +01:00
										 |  |  |       input = "test" | 
					
						
							|  |  |  |       IO.read("somefile" + input + ".txt") | 
					
						
							|  |  |  |     RUBY | 
					
						
							|  |  |  |   end | 
					
						
							|  |  |  | end |