betterlint 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 540ac996157d2947a10918bc50b385456ef3f861ec04159968da0733e0a35e02
+  data.tar.gz: 5c2d73e4041a2224abfdbd39a6777ae0ac7ccb99c1e03ba8c9bfd5d0d3ba4cad
+SHA512:
+  metadata.gz: 80a04cb42b4ce134acc6481e79e885ff97e1ce93498599458dea26fc810c64798dedab977ef7dfc0da8aef456a4ac194384db1191fbd818f491b0b10db9336b5
+  data.tar.gz: 26c35bc52635ed689783177f15020091e577df1abb779a9c95547ae428388f41af84420b471034ca283746e9dd2022ef99e98e885553c977964006de9efafde2

data/README.md

@@ -0,0 +1,158 @@
+# Betterlint
+
+Shared rubocop configuration for Betterment Rails apps/engines.
+
+Check out the [styleguide](STYLEGUIDE.md) for some additional commentary on our cop configurations.
+
+## Installation
+
+Gemfile:
+
+```ruby
+gem 'betterlint'
+```
+
+.rubocop.yml:
+
+```yml
+inherit_gem:
+  betterlint:
+    - config/default.yml
+```
+
+## Dependencies
+
+This gem depends on the following other gems:
+
+- rubocop
+- rubocop-rspec
+
+## Custom Cops
+
+All cops are located under [`lib/rubocop/cop/betterment`](lib/rubocop/cop/betterment)
+
+### Betterment/AuthorizationInController
+
+This cop looks for unsafe handling of id-like parameters in controllers that may lead to [insecure direct object reference vulnerabilities](https://portswigger.net/web-security/access-control/idor). It does this by tracking methods that retrieve input from the client and variables that hold onto these values. Any models initialized or updated using these values will then be flagged by the cop. Take this example controller:
+
+```ruby
+class Controller
+  def create_params
+    params.permit(:user_id, :language)
+  end
+
+  def create
+    info = params.permit(:user_id)
+    Model.new(user_id: info[:user_id], language: params[:language])
+    Model.new(user_id: params[:user_id], language: params[:language])
+    Model.new(create_params)
+  end
+end
+```
+
+All three `Model.new` calls may be susceptible to an insecure direct object reference vulnerability. This may end up letting attackers read and write content belonging to other users. To address these vulnerabilities, some form of authorization will be needed to ensure that the user issuing this request is allowed to create a `Model` that references the specific `user_id`. To get a better understanding of what this cop flags and doesn't flag, take a look at its [spec](spec/rubocop/cop/betterment/authorization_in_controller_spec.rb).
+
+In cases where more fine-grained control over what parameters are considered sensitive is desired, two configuration options can be used: `unsafe_parameters` and `unsafe_regex`. By default this cop will flag unsafe uses of any parameters whose names end in `_id`, but additional parameters can be specified by configuring `unsafe_parameters`. In cases where the default pattern of `.*_id` is insufficient or incorrect, this regex can be swapped out by specifying the `unsafe_regex` configuration option. In total, this cop will flag any parameters whose names are on the `unsafe_parameters` list or matches the `unsafe_regex` pattern.
+
+This is what a full configuration of this cop may look like:
+
+```yaml
+Betterment/AuthorizationInController:
+  # Limit this cop just to controllers
+  Include:
+    - 'app/controllers/**/*.rb'
+  unsafe_parameters:
+    - username
+    - misc_unsafe_parameter
+  unsafe_regex: '.*_id$'
+```
+
+### Betterment/UnscopedFind
+
+This cop flags code that passes user input directly into a `find`-like call that may lead to authorization issues (such as [indirect object reference vulnerabilities](https://portswigger.net/web-security/access-control/idor)). For example, a controller that uses user input to find a document will need to ensure that the user is authorized to access that document. Take the following sample:
+
+```ruby
+class Controller
+  def index
+    @document = Document.find(params[:document_id])
+  end
+end
+```
+
+In this case, `@document` may not belong to the user and authorization will have to be done somewhere else, potentially introducing a vulnerability. One way to address this violation is to replace the `Document.find(...)` call with a `current_user.documents.find(...)` call. This fails fast when `current_user` is not authorized to access the document, without an extra authorization check that a `Document.find` call would require.
+
+When dealing with models whose data is not ever considered private, it may make sense to add them to the `unauthenticated_models` configuration option. For example, reference data such as `ZipCode` or `Language` may be represented using models, but may not make sense to enforce any form of authentication. Take the sample controller below:
+
+```ruby
+class Controller < UnauthenticatedWebappController
+  def index
+    @language = Language.find(params[:language])
+    @zip = ZipCode.find(params[:zip])
+  end
+end
+```
+
+There is nothing specific to a user or otherwise anything sensitive about `Language` or `ZipCode`. The cop can be configured to treat these models as unauthenticated so that calling `find`-like methods with them will not trigger any violations:
+
+```yaml
+Betterment/UnscopedFind:
+  unauthenticated_models:
+    - Language
+    - ZipCode
+```
+
+### Betterment/DynamicParams
+
+This cop flags code that accesses parameters whose names may be dynamically generated, such as a list of parameters in an a global variable or a return value from a method. In some cases, dynamically accessing parameter names can obscure what the client is expected to send and may make it difficult to reason about the code, both manually and programmatically. For example:
+
+```ruby
+class Controller
+  def create_param_names
+    %i(user_id first_name last_name)
+  end
+
+  def create
+    parameter_name = :user_id
+    params.permit(parameter_name)
+    params.permit(create_params_names)
+    params.permit(%w(blog post comment).flat_map { |p| ["#{p}_name", "#{p}_title"] })
+  end
+end
+```
+
+All three `params.permit` calls will be flagged.
+
+### Betterment/UnsafeJob
+
+This cop flags delayed jobs (e.g. ActiveJob, delayed_job) whose classes accept sensitive data via a `perform` or `initialize` method. Jobs are serialized in plaintext, so any sensitive data they accept will be accessible in plaintext to everyone with database access. Instead, consider passing ActiveRecord instances that appropriately handle sensitive data (e.g. encrypted at rest and decrypted when the data is needed) or avoid passing in this data entirely.
+
+```ruby
+class RegistrationJob < ApplicationJob
+  def perform(user:, password:, authorization_token:)
+    # do something to the user with the password and authorization_token
+  end
+end
+```
+
+When a `RegistrationJob` gets queued, this job will get serialized, leaving both `password` and `authorization_token` accessible in plaintext. `Betterment/UnsafeJob` can be configured to flag parameters like these to discourage their use. Some ways to remediate this might be to stop passing in `password`, and to encrypt `authorization_token` and storing it alongside the user object. For example:
+
+```ruby
+class RegistrationJob < ApplicationJob
+  def perform(user:)
+    authorization_token = user.authorization_token.decrypt
+    # do something with the authorization_token
+  end
+end
+```
+
+By default, this job will look at classes whose name ends with `Job` but this can be replaced with any regex. This cop can also be configured to take an arbitrary list of parameter names so that any Job found accepting these parameters will be flagged.
+
+```yaml
+Betterment/UnsafeJob:
+  class_regex: .*Job$
+  sensitive_params:
+    - password
+    - authorization_token
+```
+
+It may make sense to consult your application's values for `Rails.application.config.filter_parameters`; if the application is filtering specific parameters from being logged, it might be a good idea to prevent these values from being stored in plaintext in a database as well.

data/STYLEGUIDE.md

@@ -0,0 +1,111 @@
+# Style Guide
+
+## Block Delimeters for multi-line chaining
+
+Prefer {...} over do...end for multi-line chained blocks.
+
+We use the enforced style `braces_for_chaining`.
+
+For example:
+
+### BAD:
+
+```ruby
+array_of_things.each do |thing|
+  thing if thing.condition?
+end.compact
+```
+
+### GOOD:
+
+```ruby
+array_of_things.each { |thing|
+  thing if thing.condition?
+}.compact
+```
+
+## Timeout.timeout needs custom exception
+
+If we use `Timeout.timeout` without a custom exception, rescue blocks may be prevented from executing.
+
+For example:
+
+### BAD:
+
+```ruby
+Timeout.timeout(run_timeout)
+```
+
+### GOOD:
+
+```ruby
+Timeout.timeout(run_timeout, SomeModule::SomeError)
+```
+
+## Rails/OutputSafety
+
+We explictly enabled the `Rails/OutputSafety` cop to ensure its usage. It prevents usage of `raw`, `html_safe`, or `safe_concat` unless they are explicitly disabled.
+
+This [blog post](https://engineering.betterment.qa/2017/05/15/unsafe-html-rendering.html) explains our feelings on unsafe HTML rendering.
+
+## Use parentheses for percent literal delimeters
+
+We enforce usage of parentheses for all percent literal delimeters besides `%r` (the macro for regexps) for which we use curly braces.
+
+### GOOD:
+
+```ruby
+%w(one two three)
+%i(one two three)
+%r{(\w+)-(\d+)}
+```
+
+### BAD:
+
+```ruby
+%w[one two three]
+%i[one two three]
+%w!one two three!
+%r((\w+)-(\d+))
+```
+
+## Naming/VariableNumber
+
+We enforce the style "snake_case", which means that we prefer to name variables that end in a number with an extra underscore.
+
+### GOOD:
+
+```ruby
+user_1 = User.first
+user_2 = User.second
+```
+
+### BAD:
+
+```ruby
+user1 = User.first
+user2 = User.second
+```
+
+The snake case style is more readable.
+
+## Betterment/ServerErrorAssertion
+
+In RSpec tests, we prevent HTTP response status assertions against server error codes (e.g., 500). While it’s acceptable to
+“under-build” APIs under assumption of controlled and well-behaving clients, these exceptions should be treated as undefined behavior and
+thus do not need request spec coverage. In cases where the server must communicate an expected failure to the client, an appropriate
+semantic status code must be used (e.g., 403, 422, etc.).
+
+### GOOD:
+
+```ruby
+expect(response).to have_http_status :forbidden
+expect(response).to have_http_status 422
+```
+
+### BAD:
+
+```ruby
+expect(response).to have_http_status :internal_server_error
+expect(response).to have_http_status 500
+```

data/config/default.yml

@@ -0,0 +1,290 @@
+# please keep this file alphabetically ordered!
+
+require:
+  - rubocop/cop/betterment.rb
+  - rubocop-performance
+  - rubocop-rails
+  - rubocop-rake
+  - rubocop-rspec
+
+AllCops:
+  Exclude:
+    - 'bin/**/*'
+    - 'db/**/*'
+    - 'vendor/**/*'
+    - 'frontend/**/*'
+    - 'build/**/*'
+    - 'node_modules/**/*'
+    - 'tmp/**/*'
+    - 'Gemfile'
+  DisplayStyleGuide: true
+  DisplayCopNames: true
+
+Betterment/ServerErrorAssertion:
+  Description: 'Detects assertions on 5XX HTTP statuses.'
+  Include:
+    - 'spec/requests/**/*_spec.rb'
+
+Betterment/AuthorizationInController:
+  Description: 'Detects unsafe handling of id-like parameters in controllers.'
+  Enabled: false
+
+Betterment/UnsafeJob:
+  Enabled: false
+  sensitive_params:
+    - password
+    - social_security_number
+    - ssn
+
+Betterment/SitePrismLoaded:
+  Include:
+    - 'spec/features/**/*_spec.rb'
+    - 'spec/system/**/*_spec.rb'
+
+Layout/ParameterAlignment:
+  Enabled: false
+
+Layout/CaseIndentation:
+  IndentOneStep: true
+
+Layout/ClosingParenthesisIndentation:
+  Enabled: false
+
+Layout/FirstArrayElementIndentation:
+  EnforcedStyle: consistent
+
+Layout/LineLength:
+  Max: 140
+
+Layout/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+Layout/MultilineOperationIndentation:
+  EnforcedStyle: indented
+
+# Disabling because of a bug in rubocop: https://github.com/rubocop-hq/rubocop/issues/6918
+Layout/RescueEnsureAlignment:
+  Enabled: false
+
+Lint/AmbiguousBlockAssociation:
+  Exclude:
+    - 'spec/**/*'
+
+Lint/AmbiguousOperator:
+  Exclude:
+    - 'spec/**/*'
+
+Lint/AmbiguousRegexpLiteral:
+  Exclude:
+    - 'spec/**/*'
+
+Lint/BooleanSymbol:
+  Exclude:
+    - 'spec/**/*'
+
+Metrics/AbcSize:
+  Exclude:
+    - 'spec/**/*'
+    - 'webvalve/**/*'
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/ClassLength:
+  Max: 250
+  Exclude:
+    - 'webvalve/**/*'
+
+Metrics/CyclomaticComplexity:
+  Max: 10
+  Exclude:
+    - 'spec/**/*'
+    - 'webvalve/**/*'
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/ModuleLength:
+  Max: 250
+  Exclude:
+    - 'webvalve/**/*'
+
+Metrics/ParameterLists:
+  Max: 5
+  CountKeywordArgs: false
+
+Metrics/PerceivedComplexity:
+  Exclude:
+    - 'spec/**/*'
+    - 'webvalve/**/*'
+
+Naming/HeredocDelimiterNaming:
+  Enabled: false
+
+Naming/PredicateName:
+  NamePrefix:
+    - is_
+  ForbiddenPrefixes:
+    - is_
+
+Naming/VariableNumber:
+  EnforcedStyle: 'snake_case'
+
+Performance/RedundantMatch:
+  Enabled: false
+
+Rails:
+  Enabled: true
+
+Rails/ApplicationRecord:
+  Enabled: false
+
+Rails/Delegate:
+  Enabled: false
+
+Rails/FindEach:
+  Enabled: false
+
+Rails/HttpPositionalArguments:
+  Enabled: true
+
+Rails/OutputSafety:
+  Enabled: true
+
+RSpec/Capybara/FeatureMethods:
+  Enabled: false
+
+RSpec/ContextWording:
+  Enabled: false
+
+RSpec/DescribeClass:
+  Enabled: false
+
+RSpec/DescribedClass:
+  EnforcedStyle: 'described_class'
+
+RSpec/EmptyLineAfterExampleGroup:
+  Enabled: false
+
+RSpec/EmptyLineAfterFinalLet:
+  Enabled: false
+
+RSpec/EmptyLineAfterHook:
+  Enabled: false
+
+RSpec/EmptyLineAfterSubject:
+  Enabled: false
+
+RSpec/ExampleLength:
+  Enabled: false
+
+RSpec/ExampleWording:
+  Enabled: false
+
+RSpec/ExpectChange:
+  EnforcedStyle: 'block'
+
+RSpec/FilePath:
+  Enabled: false
+
+RSpec/HookArgument:
+  Enabled: false
+
+RSpec/ItBehavesLike:
+  Enabled: false
+
+RSpec/LeadingSubject:
+  Enabled: false
+
+RSpec/LetBeforeExamples:
+  Enabled: false
+
+RSpec/LetSetup:
+  Enabled: false
+
+RSpec/MessageSpies:
+  Enabled: false
+
+RSpec/MultipleExpectations:
+  Enabled: false
+
+RSpec/MultipleMemoizedHelpers:
+  Enabled: false
+
+RSpec/NamedSubject:
+  Enabled: false
+
+RSpec/NestedGroups:
+  Enabled: false
+
+RSpec/PredicateMatcher:
+  Enabled: false
+
+RSpec/ScatteredLet:
+  Enabled: false
+
+RSpec/ScatteredSetup:
+  Enabled: false
+
+Style/AccessModifierDeclarations:
+  Enabled: false
+
+Style/BlockDelimiters:
+  EnforcedStyle: braces_for_chaining
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/GuardClause:
+  Enabled: false
+
+Style/Lambda:
+  Enabled: false
+
+Style/LambdaCall:
+  Exclude:
+    - 'app/views/**/*.jbuilder'
+
+Style/MissingElse:
+  Enabled: true
+  EnforcedStyle: case
+
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    default: '()'
+    '%i': '()'
+    '%I': '()'
+    '%r': '{}'
+    '%w': '()'
+    '%W': '()'
+
+Style/SafeNavigation:
+  Enabled: false
+
+Style/SignalException:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: false
+
+Style/SymbolProc:
+  Enabled: false
+
+# Use a trailing comma to keep diffs clean when elements are inserted or removed
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/YodaCondition:
+  Enabled: false