Follow a Ruby 3.3 warning for Security/Open

This PR follows the following Ruby 3.3 warning for `Security/Open` when `open` with a literal string starting with a pipe: ```console $ ruby -we "open('| ls')" ruby 3.3.0 (2023-12-25 revision 5124f9ac75) [x86_64-darwin22] -e:1: warning: Calling Kernel#open with a leading '|' is deprecated and will be removed in Ruby 4.0; use IO.popen instead ```
rubocop · Dec 28, 2023 · 0187af3 · 0187af3
1 parent 9fb1e25
commit 0187af3
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 6 deletions.
diff --git a/changelog/change_follow_ruby33_warning_for_security_open.md b/changelog/change_follow_ruby33_warning_for_security_open.md
@@ -0,0 +1 @@
+* [#12572](https://github.com/rubocop/rubocop/pull/12572): Follow a Ruby 3.3 warning for `Security/Open` when `open` with a literal string starting with a pipe. ([@koic][])
diff --git a/lib/rubocop/cop/security/open.rb b/lib/rubocop/cop/security/open.rb
@@ -23,6 +23,7 @@ module Security
       #   # bad
       #   open(something)
       #   open("| #{something}")
+      #   open("| foo")
       #   URI.open(something)
       #
       #   # good
@@ -32,15 +33,14 @@ module Security
       #
       #   # good (literal strings)
       #   open("foo.text")
-      #   open("| foo")
       #   URI.open("http://example.com")
       class Open < Base
         MSG = 'The use of `%<receiver>sopen` is a serious security risk.'
         RESTRICT_ON_SEND = %i[open].freeze
 
         # @!method open?(node)
         def_node_matcher :open?, <<~PATTERN
-          (send ${nil? (const {nil? cbase} :URI)} :open $!str ...)
+          (send ${nil? (const {nil? cbase} :URI)} :open $_ ...)
         PATTERN
 
         def on_send(node)

diff --git a/spec/rubocop/cop/security/open_spec.rb b/spec/rubocop/cop/security/open_spec.rb
@@ -29,6 +29,13 @@
     RUBY
   end
 
+  it 'registers an offense for open with a literal string starting with a pipe' do
+    expect_offense(<<~RUBY)
+      open('| foo')
+      ^^^^ The use of `Kernel#open` is a serious security risk.
+    RUBY
+  end
+
   it 'registers an offense for open with a block' do
     expect_offense(<<~'RUBY')
       open("#{foo}.txt") do |f|
@@ -88,8 +95,4 @@
   it 'accepts open with a string that interpolates a literal' do
     expect_no_offenses('open "foo#{2}.txt"')
   end
-
-  it 'accepts open with a literal string starting with a pipe' do
-    expect_no_offenses('open "| foo"')
-  end
 end