betterlint 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 540ac996157d2947a10918bc50b385456ef3f861ec04159968da0733e0a35e02
-  data.tar.gz: 5c2d73e4041a2224abfdbd39a6777ae0ac7ccb99c1e03ba8c9bfd5d0d3ba4cad
+  metadata.gz: 530a4f9e133d2b476275f42d7f58050eab86379908d1d7b1ebc0ac56c7c680f5
+  data.tar.gz: 497ef95c882dae58db33bf6b7d02c28a63909968f6a751a0ed9a29c97d12aa83
 SHA512:
-  metadata.gz: 80a04cb42b4ce134acc6481e79e885ff97e1ce93498599458dea26fc810c64798dedab977ef7dfc0da8aef456a4ac194384db1191fbd818f491b0b10db9336b5
-  data.tar.gz: 26c35bc52635ed689783177f15020091e577df1abb779a9c95547ae428388f41af84420b471034ca283746e9dd2022ef99e98e885553c977964006de9efafde2
+  metadata.gz: 150b06a5b965394c1c7f00b95c7f3d1bb78e58855d300fb3041f90ad828fc023ca6e0cca02faad01274d58b3d5263bbf05acf337691ce5b89e98482596f30241
+  data.tar.gz: 2524c76c7a7ea7101f3987f79e31270fe0e51091aabf1f8bc229b9854285757e01b4c335e09be348a5f850f7b2f5b1fe16f18d4ff0d72eda94496cc1a54a0b46

data/README.md

@@ -156,3 +156,44 @@ Betterment/UnsafeJob:
 ```
 
 It may make sense to consult your application's values for `Rails.application.config.filter_parameters`; if the application is filtering specific parameters from being logged, it might be a good idea to prevent these values from being stored in plaintext in a database as well.
+
+### Betterment/NonStandardActions
+
+This cop looks at Rails route files and flags routes that go to non-standard controller actions.
+The 7 standard controller actions (index, show, new, edit, create, update, destroy) are well defined,
+which allow for policies and middleware that can be applied to any controller.
+For example, if we want a user role to only be able to view but not modify,
+we can blanket deny access to create, update, and destroy actions and have it work in most use cases.
+
+Custom actions require explicit configuration to work with these sorts of middleware,
+so we prefer to use new controllers instead. For example, a resourceful route with a custom action like this:
+
+```ruby
+Rails.application.routes.draw do
+  resources :alerts, only: [:index, :summary]
+end
+```
+
+This can instead by written with an additional controller:
+
+```ruby
+Rails.application.routes.draw do
+  resources :alerts, only: :index # AlertsController#index
+  namespace :alerts do
+    resource :summary, only: :show #Alerts::SummariesController#show
+  end
+end
+```
+
+By default this will look only in `config/routes.rb` and will use the standard 7 actions.
+These values can be configured:
+
+```yaml
+Betterment/NonStandardActions:
+  AdditionalAllowedActions:
+    - update_all
+    - destroy_all
+  Include:
+    - 'config/routes.rb'
+    - 'config/other_routes.rb'
+```

data/config/default.yml

@@ -20,6 +20,9 @@ AllCops:
   DisplayStyleGuide: true
   DisplayCopNames: true
 
+Betterment:
+  StyleGuideBaseURL: https://github.com/Betterment/betterlint
+
 Betterment/ServerErrorAssertion:
   Description: 'Detects assertions on 5XX HTTP statuses.'
   Include:
@@ -27,20 +30,43 @@ Betterment/ServerErrorAssertion:
 
 Betterment/AuthorizationInController:
   Description: 'Detects unsafe handling of id-like parameters in controllers.'
+  StyleGuide: '#bettermentauthorizationincontroller'
   Enabled: false
 
 Betterment/UnsafeJob:
   Enabled: false
+  StyleGuide: '#bettermentunsafejob'
   sensitive_params:
     - password
     - social_security_number
     - ssn
 
+Betterment/UnscopedFind:
+  StyleGuide: '#bettermentunscopedfind'
+
+Betterment/DynamicParams:
+  StyleGuide: '#bettermentdynamicparams'
+
 Betterment/SitePrismLoaded:
   Include:
     - 'spec/features/**/*_spec.rb'
     - 'spec/system/**/*_spec.rb'
 
+Betterment/NonStandardActions:
+  Description: 'Detects non-standard controller actions.'
+  StyleGuide: '#bettermentnonstandardactions'
+  AdditionalAllowedActions: []
+  StandardActions:
+    - index
+    - show
+    - new
+    - edit
+    - create
+    - update
+    - destroy
+  Include:
+    - 'config/routes.rb'
+
 Layout/ParameterAlignment:
   Enabled: false
 

data/lib/rubocop/cop/betterment/active_job_performable.rb

@@ -32,7 +32,7 @@ module RuboCop
         private
 
         def has_perform_method?(node)
-          node.descendants.find(&method(:is_perform_method?))
+          node.descendants.find { |n| is_perform_method?(n) }
         end
       end
     end

data/lib/rubocop/cop/betterment/dynamic_params.rb

@@ -27,7 +27,7 @@ module RuboCop
           return unless arg_nodes
 
           arg_nodes.find do |arg|
-            arg.array_type? && find_dynamic_param(arg.values) || !arg.literal? && !arg.const_type?
+            (arg.array_type? && find_dynamic_param(arg.values)) || (!arg.literal? && !arg.const_type?)
           end
         end
       end

data/lib/rubocop/cop/betterment/implicit_redirect_type.rb

@@ -46,7 +46,7 @@ module RuboCop
         def on_block(node)
           return unless routes_file?
 
-          if block_form_with_options(node) { |options| options.none?(&method(:valid_status_option?)) } || block_form_without_options?(node)
+          if block_form_with_options(node) { |options| options.none? { |n| valid_status_option?(n) } } || block_form_without_options?(node)
             add_offense(node)
           end
         end
@@ -54,7 +54,7 @@ module RuboCop
         def on_send(node)
           return unless routes_file?
 
-          if arg_form_with_options(node) { |options| options.none?(&method(:valid_status_option?)) } || arg_form_without_options?(node)
+          if arg_form_with_options(node) { |options| options.none? { |n| valid_status_option?(n) } } || arg_form_without_options?(node)
             add_offense(node)
           end
         end

data/lib/rubocop/cop/betterment/memoization_with_arguments.rb

@@ -3,8 +3,8 @@ module RuboCop
     module Betterment
       class MemoizationWithArguments < Cop
         MSG = 'Memoized method `%<method>s` accepts arguments, ' \
-          'which may cause it to return a stale result. ' \
-          'Remove memoization or refactor to remove arguments.'.freeze
+              'which may cause it to return a stale result. ' \
+              'Remove memoization or refactor to remove arguments.'.freeze
 
         def self.node_pattern
           memo_assign = '(or_asgn $(ivasgn _) _)'
@@ -21,7 +21,7 @@ module RuboCop
 
         def on_def(node)
           (method_name, ivar_assign) = memoized?(node)
-          return if ivar_assign.nil? || node.arguments.length.zero?
+          return if ivar_assign.nil? || node.arguments.length.zero? || method_name == :initialize
 
           msg = format(MSG, method: method_name)
           add_offense(node, location: ivar_assign.source_range, message: msg)

data/lib/rubocop/cop/betterment/non_standard_actions.rb

@@ -0,0 +1,74 @@
+module RuboCop
+  module Cop
+    module Betterment
+      class NonStandardActions < Cop
+        MSG_GENERAL = 'Use a new controller instead of custom actions.'.freeze
+        MSG_RESOURCE_ONLY = "Resource route refers to a non-standard action in it's 'only:' param. #{MSG_GENERAL}".freeze
+        MSG_ROUTE_TO = "Route goes to a non-standard controller action. #{MSG_GENERAL}".freeze
+
+        # @!method routes?(node)
+        def_node_matcher :routes?, <<-PATTERN
+          (block (send (send (send (const nil? :Rails) :application) :routes) :draw) ...)
+        PATTERN
+
+        # @!method resource_with_only(node)
+        def_node_matcher :resource_with_only, <<-PATTERN
+          (send nil? {:resource :resources} _ (hash <(pair (sym :only) {(array (sym $_)*) (sym $_*)} ) ...> ))
+        PATTERN
+
+        def not_to_or_action?(sym)
+          !%i(to action).include?(sym)
+        end
+
+        # @!method route_to(node)
+        def_node_matcher :route_to, <<~PATTERN
+          (send nil? {:match :get :post :put :patch :delete} ({str sym} $_) (hash {
+            <(pair (sym ${:to :action}) ({str sym} $_)) ...>
+            (pair (sym $#not_to_or_action?) $_)*
+          })?)
+        PATTERN
+
+        def on_block(node)
+          if routes?(node)
+            node.each_descendant(:send) do |descendant_node|
+              check_resource_with_only(descendant_node) || check_raw_route(descendant_node)
+            end
+          end
+        end
+
+        private
+
+        def check_resource_with_only(node)
+          resource_only = resource_with_only(node)
+          if resource_only && resource_only.any? { |action| !allowed_action?(action) }
+            add_offense(node, message: MSG_RESOURCE_ONLY)
+            true
+          end
+        end
+
+        def check_raw_route(node)
+          route = route_to(node)
+          if route
+            (path, param, value) = route
+            action = case param
+                       when :to then value.first.split('#').last
+                       when :action then value.first
+                       else path
+                     end
+            add_offense(node, message: MSG_ROUTE_TO) unless allowed_action?(action)
+            true
+          end
+        end
+
+        # NOTE: The InternalAffairs/UndefinedConfig rule seems to have a bug where it can't fine these configs in config/default.yml
+        def allowed_actions
+          @allowed_actions ||= cop_config['StandardActions'] + cop_config['AdditionalAllowedActions'] # rubocop:disable InternalAffairs/UndefinedConfig
+        end
+
+        def allowed_action?(action)
+          allowed_actions.include?(action.to_s)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/betterment.rb

@@ -7,6 +7,7 @@ require 'rubocop/cop/betterment/unscoped_find'
 require 'rubocop/cop/betterment/unsafe_job'
 require 'rubocop/cop/betterment/timeout'
 require 'rubocop/cop/betterment/memoization_with_arguments'
+require 'rubocop/cop/betterment/non_standard_actions'
 require 'rubocop/cop/betterment/site_prism_loaded'
 require 'rubocop/cop/betterment/spec_helper_required_outside_spec_dir'
 require 'rubocop/cop/betterment/implicit_redirect_type'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: betterlint
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Development
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-28 00:00:00.000000000 Z
+date: 2022-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -98,16 +98,16 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
@@ -139,6 +139,7 @@ files:
 - lib/rubocop/cop/betterment/dynamic_params.rb
 - lib/rubocop/cop/betterment/implicit_redirect_type.rb
 - lib/rubocop/cop/betterment/memoization_with_arguments.rb
+- lib/rubocop/cop/betterment/non_standard_actions.rb
 - lib/rubocop/cop/betterment/server_error_assertion.rb
 - lib/rubocop/cop/betterment/site_prism_loaded.rb
 - lib/rubocop/cop/betterment/spec_helper_required_outside_spec_dir.rb
@@ -150,7 +151,8 @@ files:
 homepage:
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -159,14 +161,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.4'
+      version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.3.7
 signing_key:
 specification_version: 4
 summary: Betterment rubocop configuration