Use File.read instead of IO.read

If argument starts with a pipe character (`'|'`) and the receiver is the `IO` class, a subprocess is created in the same way as `Kernel#open`, and its output is returned. `Kernel#open` may allow unintentional command injection, which is the reason these `IO` methods are a security risk. Consider to use `File.read` to disable the behavior of subprocess invocation. Close #193 Ref: https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/IoMethods
author: Geremia Taglialatela <[email protected]> 2023-04-08 12:08:29 +0200
committer: Geremia Taglialatela <[email protected]> 2023-04-08 12:08:29 +0200
commit: 73f72e428d2b55cc358086d460141a2c3d7d561b (patch)
tree: 9644e523d76a7f9edb5eeda2266a9910990a6414
parent: c5ddbe7cd9bb15e8b247e6b5a5e359d02dd5b9fe (diff)
download: caxlsx-73f72e428d2b55cc358086d460141a2c3d7d561b.tar.gz
caxlsx-73f72e428d2b55cc358086d460141a2c3d7d561b.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/axlsx/package.rb b/lib/axlsx/package.rb
index 6baaa173..be34788b 100644
--- a/lib/axlsx/package.rb
+++ b/lib/axlsx/package.rb
@@ -187,7 +187,7 @@ module Axlsx
         end
         unless part[:path].nil?
           zip.put_next_entry(zip_entry_for_part(part))
-          zip.write IO.read(part[:path], mode: "rb")
+          zip.write File.read(part[:path], mode: "rb")
         end
       end
       zip
author	Geremia Taglialatela <[email protected]>	2023-04-08 12:08:29 +0200
committer	Geremia Taglialatela <[email protected]>	2023-04-08 12:08:29 +0200
commit	73f72e428d2b55cc358086d460141a2c3d7d561b (patch)
tree	9644e523d76a7f9edb5eeda2266a9910990a6414
parent	c5ddbe7cd9bb15e8b247e6b5a5e359d02dd5b9fe (diff)
download	caxlsx-73f72e428d2b55cc358086d460141a2c3d7d561b.tar.gz caxlsx-73f72e428d2b55cc358086d460141a2c3d7d561b.zip