app/models/miq_server/server_smart_proxy.rb
Avoid rescuing the Exception
class. Perhaps you meant to rescue StandardError
? Open
Open
rescue Exception => err
_log.error(err.to_s)
_log.log_backtrace(err, :debug)
job.signal(:abort_retry, err.to_s, "error", true)
return
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for rescue
blocks targeting the Exception class.
Example:
# bad
begin
do_something
rescue Exception
handle_exception
end
Example:
# good
begin
do_something
rescue ArgumentError
handle_exception
end
Avoid rescuing the Exception
class. Perhaps you meant to rescue StandardError
? Open
Open
rescue Exception => err
_log.error(err.to_s)
_log.log_backtrace(err, :debug)
job.signal(:abort_retry, err.to_s, "error", true)
return
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for rescue
blocks targeting the Exception class.
Example:
# bad
begin
do_something
rescue Exception
handle_exception
end
Example:
# good
begin
do_something
rescue ArgumentError
handle_exception
end
Prefer using YAML.safe_load
over YAML.load
. Open
Open
ost.args[1] = YAML.load(ost.args[1]) # TODO: YAML.dump'd in call_scan - need it be?
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
NOTE: Ruby 3.1+ (Psych 4) uses Psych.load
as Psych.safe_load
by default.
Safety:
The behavior of the code might change depending on what was
in the YAML payload, since YAML.safe_load
is more restrictive.
Example:
# bad
YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default
# good
YAML.safe_load("--- !ruby/object:Foo {}", [Foo]) # Ruby 2.5 (Psych 3)
YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
YAML.dump(foo)