File Coverage

blib/lib/Perl/Critic/Policy/Community/OpenArgs.pm
Criterion Covered Total %
statement 28 29 96.5
branch 6 6 100.0
condition 7 9 77.7
subroutine 10 11 90.9
pod 4 5 80.0
total 55 60 91.6


line stmt bran cond sub pod time code
1             package Perl::Critic::Policy::Community::OpenArgs;
2              
3 1     1   477 use strict;
  1         3  
  1         29  
4 1     1   5 use warnings;
  1         2  
  1         27  
5              
6 1     1   5 use Perl::Critic::Utils qw(:severities :classification :ppi);
  1         2  
  1         50  
7 1     1   379 use parent 'Perl::Critic::Policy';
  1         3  
  1         6  
8              
9             our $VERSION = 'v1.0.2';
10              
11 1     1   82 use constant DESC => 'open() called with less than 3 arguments';
  1         9  
  1         59  
12 1     1   7 use constant EXPL => 'The one- and two-argument forms of open() parse functionality from the filename, use the three-argument form instead.';
  1         2  
  1         302  
13              
14 5     5 0 18833 sub supported_parameters { () }
15 4     4 1 49 sub default_severity { $SEVERITY_MEDIUM }
16 0     0 1 0 sub default_themes { 'community' }
17 5     5 1 40986 sub applies_to { 'PPI::Token::Word' }
18              
19             sub violates {
20 21     21 1 1161 my ($self, $elem) = @_;
21 21 100 66     54 return () unless $elem eq 'open' and is_function_call $elem;
22            
23 9         2768 my @args = parse_arg_list $elem;
24 9 100       2180 if (@args < 3) {
25 6 100 66     51 return () if @args == 2 and $args[1][0]->isa('PPI::Token::Quote')
      100        
26             and $args[1][0]->string =~ /^(?:-\||\|-)\z/;
27 4         41 return $self->violation(DESC, EXPL, $elem);
28             }
29            
30 3         14 return ();
31             }
32              
33             1;
34              
35             =head1 NAME
36              
37             Perl::Critic::Policy::Community::OpenArgs - Always use the three-argument form
38             of open
39              
40             =head1 DESCRIPTION
41              
42             The C<open()> function may be called in a two-argument form where the filename
43             is parsed to determine the mode of opening, which may include piping input or
44             output. (In the one-argument form, this filename is retrieved from a global
45             variable, but the same magic is used.) This can lead to vulnerabilities if the
46             filename is retrieved from user input or could begin or end with a special
47             character. The three-argument form specifies the open mode as the second
48             argument, so it is always distinct from the filename.
49              
50             open FILE; # not ok
51             open my $fh, "<$filename"; # not ok
52             open my $fh, '<', $filename; # ok
53              
54             This policy is similar to the core policy
55             L<Perl::Critic::Policy::InputOutput::ProhibitTwoArgOpen>, but additionally
56             prohibits one-argument opens.
57              
58             =head1 AFFILIATION
59              
60             This policy is part of L<Perl::Critic::Community>.
61              
62             =head1 CONFIGURATION
63              
64             This policy is not configurable except for the standard options.
65              
66             =head1 AUTHOR
67              
68             Dan Book, C<dbook@cpan.org>
69              
70             =head1 COPYRIGHT AND LICENSE
71              
72             Copyright 2015, Dan Book.
73              
74             This library is free software; you may redistribute it and/or modify it under
75             the terms of the Artistic License version 2.0.
76              
77             =head1 SEE ALSO
78              
79             L<Perl::Critic>