cobalt-rubocop 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c08db73a41f4beaee02f72349ba019f38884ed65030ca622cffb6e2bb76d0dfe
-  data.tar.gz: '06588084616ac4a8e65741a3c251de8988faf4e2157bef50a8f290f64c7a5dd4'
+  metadata.gz: 6f2801ac2078b352088c701af34b58f9b88674b73699e40940a89c53c7be4843
+  data.tar.gz: 0e8c1af2bd5fe8d4bee073fb226e10de3b8fdf4a526fdff0133ead3abf543636
 SHA512:
-  metadata.gz: ccf9019e8758ea7b9c170c89a6f4cda9417251a114776b0682e9dd08da99df921641efd67d1bb4e64746af9d895576ddebe3cd6d56430ddc3011ed9c92958335
-  data.tar.gz: 35fdb07709b25dbb699f730a8aa3c13d30a244aad2d7745f1db4542d03e063dd8cc5dc7922fed21311faf941ab9e8982e479110af7b97fe1e57d8a22d92e862d
+  metadata.gz: 8f76c80ad5ff76cc3bc14ef1f40226af2ca7fb3ba4ca26feff3be987cb233535ecc3eb1d77d59a1155b5de971e8bfab9b2d6466e8368d7bbb200897ad413c044
+  data.tar.gz: eeb89417bc4035669050d7007c2eda9b010664e8d8bbb88a07c28ef2fa4181a6e8c24dfe8b5b2b26bb87d6faf4e8a20dc75fc42811aba415a04bb944a135ba6d

data/CHANGELOG.md

@@ -1,5 +1,11 @@
-# 0.1.0
+# CHANGELOG
 
+## 0.2.0 (2021-04-14)
+* Avoid warnings on RSpec `let` with parameter arrays ([#5](https://github.com/cobalthq/cobalt-rubocop/pull/5))
+* Add new cop `InsecureHashAlgorithm`. ([#3](https://github.com/cobalthq/cobalt-rubocop/pull/3))
+  * Possible need to re-generate `.rubocop_todo.yml` when updating.
+
+## 0.1.0 (2021-02-10)
 * Introduce default rules
 * Introduce rails rules
 * Introduce rspec rules

data/README.md

@@ -1,19 +1,37 @@
 # Cobalt RuboCop
+[![Gem Version](https://badge.fury.io/rb/cobalt-rubocop.svg)](https://badge.fury.io/rb/cobalt-rubocop)
+[![GitHub License](https://img.shields.io/github/license/cobalthq/cobalt-rubocop.svg)](https://github.com/cobalthq/cobalt-rubocop/blob/main/LICENSE)
+![Gem Downloads](https://img.shields.io/gem/dt/cobalt-rubocop)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop-hq/rubocop)
 
 This repository provides recommended linting rules for Ruby repositories.
 
 ## Installation
 
 ### Gemfile
+#### Add
+  ```ruby
+  group :development do
+    gem 'cobalt-rubocop', require: false
+  end
+  ```
 
-```ruby
-group :development do
-  gem 'cobalt-rubocop', require: false, git: 'https://github.com/cobalthq/cobalt-rubocop', branch: :main
-end
-```
+#### Remove
+  ```ruby
+  gem 'rubocop', require: false
+  gem 'rubocop-performance', require: false
+  gem 'rubocop-rails', require: false
+  gem 'rubocop-rspec', require: false
+  ```
 
-### .rubocop.yml
+  [Specific versions](https://github.com/cobalthq/cobalt-rubocop/blob/main/cobalt-rubocop.gemspec) installed for:
+  - `rubocop`
+  - `rubocop-performance`
+  - `rubocop-rails`
+  - `rubocop-rspec`
 
+### .rubocop.yml
+Configuration Options:
 ```yaml
 inherit_gem:
   cobalt-rubocop:
@@ -41,6 +59,32 @@ The number of offences can be counted:
 grep "Offense count" .rubocop_todo.yml | awk -F: '{sum+=$2} END {print sum}'
 ```
 
+## Custom Cops
+### InsecureHashAlgorithm
+See [Ruby Docs](https://ruby-doc.org/stdlib-2.7.2/libdoc/openssl/rdoc/OpenSSL/Digest.html) for built in hash functions.
+
+- Default Configuration:
+  ```yml
+  Cobalt/InsecureHashAlgorithm:
+    Allowed:
+      - SHA256
+      - SHA384
+      - SHA512
+  ```
+
+  ```ruby
+  # bad
+  OpenSSL::Digest::MD5.digest('abc')
+  OpenSSL::Digest::SHA1.digest('abc')
+  OpenSSL::HMAC.new('abc', 'sha1')
+
+  # good
+  OpenSSL::Digest::SHA256.digest('abc')
+  OpenSSL::Digest::SHA384.digest('abc')
+  OpenSSL::Digest::SHA512.digest('abc')
+  OpenSSL::HMAC.new('abc', 'sha256')
+  ```
+
 ## Development
 ```shell
 git clone git@github.com:cobalthq/cobalt-rubocop.git
@@ -55,10 +99,14 @@ In your application, use the `path` attribute to point to your local copy of the
   gem 'cobalt-rubocop', path: '../cobalt-rubocop', require: false
 ```
 
-### Publishing the gem
-If you have access to publish the gem on rubygems:
-```shell
-rake build
-cd pkg
-gem push cobalt-rubocop-<version_number>.gem
-```
+Alternatively:
+- `rake build`
+- `gem install pkg/cobalt-rubocop-<version_number>.gem`
+
+## Publish (internal)
+> Note: Publishing a new version of this gem is only meant for maintainers.
+- Ensure you have access to publish on [rubygems](https://rubygems.org/gems/cobalt-rubocop).
+- Update [CHANGELOG](https://github.com/cobalthq/cobalt-rubocop/blob/main/CHANGELOG.md).
+- Update [`VERSION`](https://github.com/cobalthq/cobalt-rubocop/blob/main/lib/rubocop/cobalt/version.rb).
+- `rake release`
+  - This command builds the gem, creates a tag and publishes to rubygems, see [bundler docs](https://bundler.io/guides/creating_gem.html#releasing-the-gem).

data/config/default.yml

@@ -1,5 +1,6 @@
 require:
   - rubocop-performance
+  - rubocop/cop/cobalt
 
 AllCops:
   NewCops: enable
@@ -57,3 +58,6 @@ Style/IfUnlessModifier:
 
 Style/ClassAndModuleChildren:
   EnforcedStyle: nested
+
+Cobalt/InsecureHashAlgorithm:
+  Enabled: true

data/config/rspec.yml

@@ -14,6 +14,7 @@ RSpec/MessageSpies:
 RSpec/VariableName:
   IgnoredPatterns:
     - ^Authorization
+    - '\[\]$' # For array parameters in rswag like `let(:'<parameter_name>[]')`
 
 RSpec/MultipleMemoizedHelpers:
   Max: 17

data/lib/rubocop/cobalt/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cobalt
+    VERSION = '0.2.0'
+  end
+end

data/lib/rubocop/cop/cobalt.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'rubocop/cop/cobalt/insecure_hash_algorithm'

data/lib/rubocop/cop/cobalt/insecure_hash_algorithm.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+# original code from https://github.com/github/rubocop-github/blob/master/lib/rubocop/cop/github/insecure_hash_algorithm.rb
+
+module RuboCop
+  module Cop
+    module Cobalt
+      class InsecureHashAlgorithm < Cop
+        # Matches constants like these:
+        #   Digest::MD5
+        #   OpenSSL::Digest::MD5
+        def_node_matcher :insecure_const?, <<-PATTERN
+          (const (const _ :Digest) #insecure_algorithm?)
+        PATTERN
+
+        # Matches calls like these:
+        #   Digest.new('md5')
+        #   Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest.new('md5')
+        #   OpenSSL::Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest::Digest.new('md5')
+        #   OpenSSL::Digest::Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest::Digest.new(:MD5)
+        #   OpenSSL::Digest::Digest.hexdigest(:MD5, 'str')
+        def_node_matcher :insecure_digest?, <<-PATTERN
+          (send
+            (const _ {:Digest :HMAC})
+            #not_just_encoding?
+            #insecure_algorithm?
+            ...)
+        PATTERN
+
+        # Matches calls like "Digest(:MD5)".
+        def_node_matcher :insecure_hash_lookup?, <<-PATTERN
+          (send _ :Digest #insecure_algorithm?)
+        PATTERN
+
+        # Matches calls like "OpenSSL::HMAC.new(secret, hash)"
+        def_node_matcher :openssl_hmac_new?, <<-PATTERN
+          (send (const (const _ :OpenSSL) :HMAC) :new ...)
+        PATTERN
+
+        # Matches calls like "OpenSSL::HMAC.new(secret, 'sha1')"
+        def_node_matcher :openssl_hmac_new_insecure?, <<-PATTERN
+          (send (const (const _ :OpenSSL) :HMAC) :new _ #insecure_algorithm?)
+        PATTERN
+
+        # Matches Rails's Digest::UUID.
+        def_node_matcher :digest_uuid?, <<-PATTERN
+          (const (const _ :Digest) :UUID)
+        PATTERN
+
+        def_node_matcher :uuid_v3?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v3 ...)
+        PATTERN
+
+        def_node_matcher :uuid_v5?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v5 ...)
+        PATTERN
+
+        def insecure_algorithm?(val)
+          return false if val == :Digest # Don't match "Digest::Digest".
+
+          case alg_name(val)
+          when *allowed_hash_functions, Symbol
+            false
+          else
+            true
+          end
+        end
+
+        def not_just_encoding?(val)
+          !just_encoding?(val)
+        end
+
+        def just_encoding?(val)
+          %i[hexencode bubblebabble].include?(val)
+        end
+
+        DEFAULT_ALLOWED = %w[
+          SHA256
+          SHA384
+          SHA512
+        ].freeze
+
+        def allowed_hash_functions
+          @allowed_hash_functions ||= cop_config.fetch('Allowed', DEFAULT_ALLOWED).map(&:downcase)
+        end
+
+        def alg_name(val)
+          return :nil if val.nil?
+          return val.to_s.downcase unless val.is_a?(RuboCop::AST::Node)
+
+          case val.type
+          when :sym, :str
+            val.children.first.to_s.downcase
+          else
+            val.type
+          end
+        end
+
+        def on_const(const_node)
+          add_offense(const_node, message: default_message) if insecure_const?(const_node) && !digest_uuid?(const_node)
+        end
+
+        def on_send(send_node)
+          if uuid_v3?(send_node) && !allowed_hash_functions.include?('md5')
+            add_offense(send_node, message: "uuid_v3 uses MD5, which is not allowed. Prefer: #{allowed_hash_functions.join(', ')}")
+          elsif uuid_v5?(send_node) && !allowed_hash_functions.include?('sha1')
+            add_offense(send_node, message: "uuid_v5 uses SHA1, which is not allowed. Prefer: #{allowed_hash_functions.join(', ')}")
+          elsif openssl_hmac_new?(send_node) && openssl_hmac_new_insecure?(send_node) ||
+              insecure_digest?(send_node) || insecure_hash_lookup?(send_node)
+            add_offense(send_node, message: default_message)
+          end
+        end
+
+        def default_message
+          "This hash function is not allowed. Prefer: #{allowed_hash_functions.join(', ')}"
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cobalt-rubocop
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Cobalt Engineering
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-10 00:00:00.000000000 Z
+date: 2021-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -80,6 +80,20 @@ dependencies:
     - - '='
       - !ruby/object:Gem::Version
         version: 2.2.2
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.10.0
 description: Ruby code linting for Cobalt Ruby repositories
 email:
 executables: []
@@ -92,6 +106,9 @@ files:
 - config/default.yml
 - config/rails.yml
 - config/rspec.yml
+- lib/rubocop/cobalt/version.rb
+- lib/rubocop/cop/cobalt.rb
+- lib/rubocop/cop/cobalt/insecure_hash_algorithm.rb
 homepage: https://github.com/cobalthq/cobalt-rubocop
 licenses:
 - MIT
@@ -115,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.9
 signing_key:
 specification_version: 4
 summary: Cobalt RuboCop