fix(ruby): add missing URI#read case (#355)

Bearer · Apr 2, 2024 · 43741ab · 43741ab
1 parent e001462
commit 43741ab
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 1 deletion.
diff --git a/rules/ruby/lang/http_url_using_user_input.yml b/rules/ruby/lang/http_url_using_user_input.yml
@@ -99,11 +99,15 @@ patterns:
       - variable: USER_INPUT
         detection: ruby_shared_common_user_input
         scope: result
-  - pattern: $<URI>.open$<...>
+  - pattern: $<URI>.$<METHOD>$<...>
     filters:
       - variable: URI
         detection: ruby_lang_http_url_using_user_input_uri
         scope: cursor
+      - variable: METHOD
+        values:
+          - open
+          - read
   - pattern: open($<URI>$<...>)$<...>
     filters:
       - variable: URI

diff --git a/tests/ruby/lang/http_url_using_user_input/testdata/ok_not_unsafe.rb b/tests/ruby/lang/http_url_using_user_input/testdata/ok_not_unsafe.rb
@@ -64,3 +64,4 @@
 open(uri, "r")
 Kernel.open(uri) {}
 uri.open
+uri.read
diff --git a/tests/ruby/lang/http_url_using_user_input/testdata/unsafe_open.rb b/tests/ruby/lang/http_url_using_user_input/testdata/unsafe_open.rb
@@ -8,3 +8,6 @@
 
 # bearer:expected ruby_lang_http_url_using_user_input
 uri.open
+
+# bearer:expected ruby_lang_http_url_using_user_input
+uri.read