Document possible attack vector on get

rafaelfranca · web-flow · commit 77b0dd56d4bf · 2018-07-05T17:41:21.000-04:00
This method is not supposed to receive user input, but if it does it will be vulnerable for a command injection attack. Closes #514
diff --git a/lib/thor/actions/file_manipulation.rb b/lib/thor/actions/file_manipulation.rb
@@ -60,6 +60,9 @@ def link_file(source, *args)
     # destination. If a block is given instead of destination, the content of
     # the url is yielded and used as location.
     #
+    # +get+ relies on open-uri, so passing application user input would provide
+    # a command injection attack vector.
+    #
     # ==== Parameters
     # source<String>:: the address of the given content.
     # destination<String>:: the relative path to the destination root.
