da734a30c2
- Fixing the test expected output was unbelievably tedious. - There's been debate about this setting being `false` but in https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225 we decided that it was worth using the default since RuboCop behaviour changed so we'd have had to do some horrible things to keep it as `false` - https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 - and multiple maintainers specify the `--display-cop-names` option to `brew style` themselves since it's clearer what's gone wrong.
76 lines
2.3 KiB
Ruby
76 lines
2.3 KiB
Ruby
# typed: false
|
|
# frozen_string_literal: true
|
|
|
|
require "rubocops/io_read"
|
|
|
|
describe RuboCop::Cop::Homebrew::IORead do
|
|
subject(:cop) { described_class.new }
|
|
|
|
it "reports an offense when `IO.read` is used with a pipe character" do
|
|
expect_offense(<<~RUBY)
|
|
IO.read("|echo test")
|
|
^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
|
|
RUBY
|
|
end
|
|
|
|
it "does not report an offense when `IO.read` is used without a pipe character" do
|
|
expect_no_offenses(<<~RUBY)
|
|
IO.read("file.txt")
|
|
RUBY
|
|
end
|
|
|
|
it "reports an offense when `IO.read` is used with untrustworthy input" do
|
|
expect_offense(<<~RUBY)
|
|
input = "input value from an unknown source"
|
|
IO.read(input)
|
|
^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
|
|
RUBY
|
|
end
|
|
|
|
it "reports an offense when `IO.read` is used with a dynamic string starting with a pipe character" do
|
|
expect_offense(<<~'RUBY')
|
|
input = "test"
|
|
IO.read("|echo #{input}")
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
|
|
RUBY
|
|
end
|
|
|
|
it "reports an offense when `IO.read` is used with a dynamic string at the start" do
|
|
expect_offense(<<~'RUBY')
|
|
input = "|echo test"
|
|
IO.read("#{input}.txt")
|
|
^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
|
|
RUBY
|
|
end
|
|
|
|
it "does not report an offense when `IO.read` is used with a dynamic string safely" do
|
|
expect_no_offenses(<<~'RUBY')
|
|
input = "test"
|
|
IO.read("somefile#{input}.txt")
|
|
RUBY
|
|
end
|
|
|
|
it "reports an offense when `IO.read` is used with a concatenated string starting with a pipe character" do
|
|
expect_offense(<<~RUBY)
|
|
input = "|echo test"
|
|
IO.read("|echo " + input)
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
|
|
RUBY
|
|
end
|
|
|
|
it "reports an offense when `IO.read` is used with a concatenated string starting with untrustworthy input" do
|
|
expect_offense(<<~RUBY)
|
|
input = "|echo test"
|
|
IO.read(input + ".txt")
|
|
^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
|
|
RUBY
|
|
end
|
|
|
|
it "does not report an offense when `IO.read` is used with a concatenated string safely" do
|
|
expect_no_offenses(<<~RUBY)
|
|
input = "test"
|
|
IO.read("somefile" + input + ".txt")
|
|
RUBY
|
|
end
|
|
end
|