Add more negative patterns to exclude cases of reading from a file for Yaml bad deserialization #3296
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For cases where
YAML.load(File.read(...))
was used, the rule flagged these as potential issues. However, when the same was written as,It was allowed. Either it is a problem with how the parser works, or the rule needs an additional negative pattern.
Likewise, the same is true for cases like
YAML.load($MOD.$METHOD(File.read(...)))
. Here, the file could be passed to a template renderer likeERB
, which, in this case, should be fine.These 2 FP conditions are covered. Also,
File.read
takes a file name as a string. It may not be explicitly needed to make the pattern expect a string.