Merge pull request #16349 from hmac/hmac-uri-open

hmac · web-flow · commit 8ccedd658a05 · 2024-04-29T09:42:39.000+01:00
Ruby: Add URI.open example to rb/kernel-open qhelp
diff --git a/ruby/ql/src/queries/security/cwe-078/examples/file_open.rb b/ruby/ql/src/queries/security/cwe-078/examples/file_open.rb
@@ -1,6 +1,9 @@
 class UsersController < ActionController::Base
-    def create
-      filename = params[:filename]
-      File.open(filename)
-    end
-  end  
+  def create
+    filename = params[:filename]
+    File.open(filename)
+
+    web_page = params[:web_page]
+    Net::HTTP.get(URI.parse(web_page))
+  end
+end
diff --git a/ruby/ql/src/queries/security/cwe-078/examples/kernel_open.rb b/ruby/ql/src/queries/security/cwe-078/examples/kernel_open.rb
@@ -1,6 +1,11 @@
+require "open-uri"
+
 class UsersController < ActionController::Base
   def create
     filename = params[:filename]
     open(filename) # BAD
+
+    web_page = params[:web_page]
+    URI.open(web_page) # BAD - calls `Kernel.open` internally
   end
-end  
+end
