6210 updated the document. A description about URI#open has been added.

Would be helpful to tell people to use Net:HTTP too should they use open-uri for that.

Can we get some clarity here.

Should we not use URI.parse(url).open anymore?

Is Net::HTTP.get_response(URI(url)) favoured now?

Thanks.

With the logic like this:

require 'open-uri'

document_url = a file on the internet
content = open(document_url).read

Rubocop will raise the Security/Open: The use of Kernel#open is a serious security risk warning. I look up to the documentation and it suggests File.open(something) or IO.popen(something) but neither of them works when opening files on the internet.

How can I get on with it?

This cop checks for the use of Kernel#open and URI.open.

Kernel#open and URI.open enable not only file access but also process invocation by prefixing a pipe symbol (e.g., open(“| ls”)). So, it may lead to a serious security risk by using variable input to the argument of Kernel#open and URI.open. It would be better to use File.open, IO.popen or URI.parse#open explicitly.

https://www.rubydoc.info/gems/rubocop/RuboCop/Cop/Security/Open

Actually just use URI.open() which works as a drop in replacement for Kernel.open() (i.e. open()) and will be accepted by Rubocop too, in contrary what the docs say (RC version 0.93.1).

Actually URI.parse(something).open doesn't exist (tested with ruby 2.7).

Actually just use URI.open() which works as a drop in replacement for Kernel.open() (i.e. open()) and will be accepted by Rubocop too, in contrary what the docs say (RC version 0.93.1).

Actually URI.parse(something).open doesn't exist (tested with ruby 2.7).

I replaced open() with URI.open() and rubocop smiled.