File Coverage

blib/lib/Perl/Critic/Policy/Community/OpenArgs.pm
Criterion Covered Total %
statement 28 29 96.5
branch 6 6 100.0
condition 7 9 77.7
subroutine 10 11 90.9
pod 4 5 80.0
total 55 60 91.6


line stmt bran cond sub pod time code
1              
2             use strict;
3 1     1   358 use warnings;
  1         3  
  1         22  
4 1     1   4  
  1         3  
  1         23  
5             use Perl::Critic::Utils qw(:severities :classification :ppi);
6 1     1   4 use parent 'Perl::Critic::Policy';
  1         2  
  1         41  
7 1     1   320  
  1         1  
  1         5  
8             our $VERSION = 'v1.0.3';
9              
10             use constant DESC => 'open() called with less than 3 arguments';
11 1     1   66 use constant EXPL => 'The one- and two-argument forms of open() parse functionality from the filename, use the three-argument form instead.';
  1         2  
  1         47  
12 1     1   5  
  1         2  
  1         253  
13              
14 5     5 0 14012 my ($self, $elem) = @_;
15 4     4 1 36 return () unless $elem eq 'open' and is_function_call $elem;
16 0     0 1 0
17 5     5 1 32209 my @args = parse_arg_list $elem;
18             if (@args < 3) {
19             return () if @args == 2 and $args[1][0]->isa('PPI::Token::Quote')
20 21     21 1 912 and $args[1][0]->string =~ /^(?:-\||\|-)\z/;
21 21 100 66     43 return $self->violation(DESC, EXPL, $elem);
22             }
23 9         2095
24 9 100       1788 return ();
25 6 100 66     36 }
      100        
26              
27 4         30 1;
28              
29             =head1 NAME
30 3         10  
31             Perl::Critic::Policy::Community::OpenArgs - Always use the three-argument form
32             of open
33              
34             =head1 DESCRIPTION
35              
36             The C<open()> function may be called in a two-argument form where the filename
37             is parsed to determine the mode of opening, which may include piping input or
38             output. (In the one-argument form, this filename is retrieved from a global
39             variable, but the same magic is used.) This can lead to vulnerabilities if the
40             filename is retrieved from user input or could begin or end with a special
41             character. The three-argument form specifies the open mode as the second
42             argument, so it is always distinct from the filename.
43              
44             open FILE; # not ok
45             open my $fh, "<$filename"; # not ok
46             open my $fh, '<', $filename; # ok
47              
48             This policy is similar to the core policy
49             L<Perl::Critic::Policy::InputOutput::ProhibitTwoArgOpen>, but additionally
50             prohibits one-argument opens.
51              
52             =head1 AFFILIATION
53              
54             This policy is part of L<Perl::Critic::Community>.
55              
56             =head1 CONFIGURATION
57              
58             This policy is not configurable except for the standard options.
59              
60             =head1 AUTHOR
61              
62             Dan Book, C<dbook@cpan.org>
63              
64             =head1 COPYRIGHT AND LICENSE
65              
66             Copyright 2015, Dan Book.
67              
68             This library is free software; you may redistribute it and/or modify it under
69             the terms of the Artistic License version 2.0.
70              
71             =head1 SEE ALSO
72              
73             L<Perl::Critic>