cobalt-rubocop 0.1.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c08db73a41f4beaee02f72349ba019f38884ed65030ca622cffb6e2bb76d0dfe
-  data.tar.gz: '06588084616ac4a8e65741a3c251de8988faf4e2157bef50a8f290f64c7a5dd4'
+  metadata.gz: e6dc98fd50cb09459ed2b1549f9946ee1d0e73ad7be7c099b22c1ca78641cabc
+  data.tar.gz: bb451d97a1ef101b4a80c4d9bb66e46fed55b1b5f55a07d42f9c063c78f46139
 SHA512:
-  metadata.gz: ccf9019e8758ea7b9c170c89a6f4cda9417251a114776b0682e9dd08da99df921641efd67d1bb4e64746af9d895576ddebe3cd6d56430ddc3011ed9c92958335
-  data.tar.gz: 35fdb07709b25dbb699f730a8aa3c13d30a244aad2d7745f1db4542d03e063dd8cc5dc7922fed21311faf941ab9e8982e479110af7b97fe1e57d8a22d92e862d
+  metadata.gz: 864612e1bc4558bae753049b59b41387b74a7a8c83bd605b319da05f30f8c1661b984a3bd5e3305840a8eb67e3605f336960f9f4815d8d6cb5e02de48a6c68ba
+  data.tar.gz: d3c100cf002c07b94aa64f4603b342f1351abdb6cd4e46a4b37e640a82bea26a7b9cd8854ef956179d0e811a54589ab39dd011b0d062cef54fecfbd959f47a6a

data/CHANGELOG.md

@@ -1,5 +1,21 @@
-# 0.1.0
+# CHANGELOG
+## main (unreleased)
+* WIP
 
+## 0.5.0 (2022-01-25)
+* Update Gem versions ([#8](https://github.com/cobalthq/cobalt-rubocop/pull/8))
+
+## 0.4.0 (2021-09-07)
+* Update Gem versions ([#7](https://github.com/cobalthq/cobalt-rubocop/pull/7))
+
+## 0.3.0 (2021-04-16)
+* Update Rubocop and Rubocop Performance versions ([#6](https://github.com/cobalthq/cobalt-rubocop/pull/6))
+
+## 0.2.0 (2021-04-14)
+* Avoid warnings on RSpec `let` with parameter arrays ([#5](https://github.com/cobalthq/cobalt-rubocop/pull/5))
+* Add new cop `InsecureHashAlgorithm`. ([#3](https://github.com/cobalthq/cobalt-rubocop/pull/3))
+
+## 0.1.0 (2021-02-10)
 * Introduce default rules
 * Introduce rails rules
 * Introduce rspec rules

data/README.md

@@ -1,19 +1,37 @@
 # Cobalt RuboCop
+[![Gem Version](https://badge.fury.io/rb/cobalt-rubocop.svg)](https://badge.fury.io/rb/cobalt-rubocop)
+[![GitHub License](https://img.shields.io/github/license/cobalthq/cobalt-rubocop.svg)](https://github.com/cobalthq/cobalt-rubocop/blob/main/LICENSE)
+![Gem Downloads](https://img.shields.io/gem/dt/cobalt-rubocop)
+[![Ruby Style Guide](https://img.shields.io/badge/code_style-rubocop-brightgreen.svg)](https://github.com/rubocop-hq/rubocop)
 
 This repository provides recommended linting rules for Ruby repositories.
 
 ## Installation
 
 ### Gemfile
+#### Add
+  ```ruby
+  group :development do
+    gem 'cobalt-rubocop', require: false
+  end
+  ```
 
-```ruby
-group :development do
-  gem 'cobalt-rubocop', require: false, git: 'https://github.com/cobalthq/cobalt-rubocop', branch: :main
-end
-```
+#### Remove
+  ```ruby
+  gem 'rubocop', require: false
+  gem 'rubocop-performance', require: false
+  gem 'rubocop-rails', require: false
+  gem 'rubocop-rspec', require: false
+  ```
 
-### .rubocop.yml
+  [Specific versions](https://github.com/cobalthq/cobalt-rubocop/blob/main/cobalt-rubocop.gemspec) installed for:
+  - [rubocop](https://github.com/rubocop-hq/rubocop)
+  - [rubocop-performance](https://github.com/rubocop/rubocop-performance)
+  - [rubocop-rails](https://github.com/rubocop/rubocop-rails)
+  - [rubocop-rspec](https://github.com/rubocop/rubocop-rspec)
 
+### .rubocop.yml
+Configuration Options:
 ```yaml
 inherit_gem:
   cobalt-rubocop:
@@ -41,11 +59,37 @@ The number of offences can be counted:
 grep "Offense count" .rubocop_todo.yml | awk -F: '{sum+=$2} END {print sum}'
 ```
 
+## Custom Cops
+### InsecureHashAlgorithm
+See [Ruby Docs](https://ruby-doc.org/stdlib-2.7.2/libdoc/openssl/rdoc/OpenSSL/Digest.html) for built in hash functions.
+
+- Default Configuration:
+  ```yml
+  Cobalt/InsecureHashAlgorithm:
+    Allowed:
+      - SHA256
+      - SHA384
+      - SHA512
+  ```
+
+  ```ruby
+  # bad
+  OpenSSL::Digest::MD5.digest('abc')
+  OpenSSL::Digest::SHA1.digest('abc')
+  OpenSSL::HMAC.new('abc', 'sha1')
+
+  # good
+  OpenSSL::Digest::SHA256.digest('abc')
+  OpenSSL::Digest::SHA384.digest('abc')
+  OpenSSL::Digest::SHA512.digest('abc')
+  OpenSSL::HMAC.new('abc', 'sha256')
+  ```
+
 ## Development
 ```shell
 git clone git@github.com:cobalthq/cobalt-rubocop.git
-gem install bundler:2.2.2
-bundle _2.2.2_
+gem install bundler:2.2.16
+bundle _2.2.16_
 ```
 
 ### Testing locally
@@ -55,10 +99,14 @@ In your application, use the `path` attribute to point to your local copy of the
   gem 'cobalt-rubocop', path: '../cobalt-rubocop', require: false
 ```
 
-### Publishing the gem
-If you have access to publish the gem on rubygems:
-```shell
-rake build
-cd pkg
-gem push cobalt-rubocop-<version_number>.gem
-```
+Alternatively:
+- `rake build`
+- `gem install pkg/cobalt-rubocop-<version_number>.gem`
+
+## Publish (internal)
+> Note: Publishing a new version of this gem is only meant for maintainers.
+- Ensure you have access to publish on [rubygems](https://rubygems.org/gems/cobalt-rubocop).
+- Update [CHANGELOG](https://github.com/cobalthq/cobalt-rubocop/blob/main/CHANGELOG.md).
+- Update [`VERSION`](https://github.com/cobalthq/cobalt-rubocop/blob/main/lib/rubocop/cobalt/version.rb).
+- `rake release`
+  - This command builds the gem, creates a tag and publishes to rubygems, see [bundler docs](https://bundler.io/guides/creating_gem.html#releasing-the-gem).

data/config/default.yml

@@ -1,5 +1,6 @@
 require:
   - rubocop-performance
+  - rubocop/cop/cobalt
 
 AllCops:
   NewCops: enable
@@ -57,3 +58,6 @@ Style/IfUnlessModifier:
 
 Style/ClassAndModuleChildren:
   EnforcedStyle: nested
+
+Cobalt/InsecureHashAlgorithm:
+  Enabled: true

data/config/rspec.yml

@@ -14,6 +14,7 @@ RSpec/MessageSpies:
 RSpec/VariableName:
   IgnoredPatterns:
     - ^Authorization
+    - '\[\]$' # For array parameters in rswag like `let(:'<parameter_name>[]')`
 
 RSpec/MultipleMemoizedHelpers:
   Max: 17

data/lib/rubocop/cobalt/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cobalt
+    VERSION = '0.5.0'
+  end
+end

data/lib/rubocop/cop/cobalt/insecure_hash_algorithm.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+# original code from https://github.com/github/rubocop-github/blob/master/lib/rubocop/cop/github/insecure_hash_algorithm.rb
+
+module RuboCop
+  module Cop
+    module Cobalt
+      class InsecureHashAlgorithm < Cop
+        # Matches constants like these:
+        #   Digest::MD5
+        #   OpenSSL::Digest::MD5
+        def_node_matcher :insecure_const?, <<-PATTERN
+          (const (const _ :Digest) #insecure_algorithm?)
+        PATTERN
+
+        # Matches calls like these:
+        #   Digest.new('md5')
+        #   Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest.new('md5')
+        #   OpenSSL::Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest::Digest.new('md5')
+        #   OpenSSL::Digest::Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest::Digest.new(:MD5)
+        #   OpenSSL::Digest::Digest.hexdigest(:MD5, 'str')
+        def_node_matcher :insecure_digest?, <<-PATTERN
+          (send
+            (const _ {:Digest :HMAC})
+            #not_just_encoding?
+            #insecure_algorithm?
+            ...)
+        PATTERN
+
+        # Matches calls like "Digest(:MD5)".
+        def_node_matcher :insecure_hash_lookup?, <<-PATTERN
+          (send _ :Digest #insecure_algorithm?)
+        PATTERN
+
+        # Matches calls like "OpenSSL::HMAC.new(secret, hash)"
+        def_node_matcher :openssl_hmac_new?, <<-PATTERN
+          (send (const (const _ :OpenSSL) :HMAC) :new ...)
+        PATTERN
+
+        # Matches calls like "OpenSSL::HMAC.new(secret, 'sha1')"
+        def_node_matcher :openssl_hmac_new_insecure?, <<-PATTERN
+          (send (const (const _ :OpenSSL) :HMAC) :new _ #insecure_algorithm?)
+        PATTERN
+
+        # Matches Rails's Digest::UUID.
+        def_node_matcher :digest_uuid?, <<-PATTERN
+          (const (const _ :Digest) :UUID)
+        PATTERN
+
+        def_node_matcher :uuid_v3?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v3 ...)
+        PATTERN
+
+        def_node_matcher :uuid_v5?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v5 ...)
+        PATTERN
+
+        def insecure_algorithm?(val)
+          return false if val == :Digest # Don't match "Digest::Digest".
+
+          case alg_name(val)
+          when *allowed_hash_functions, Symbol
+            false
+          else
+            true
+          end
+        end
+
+        def not_just_encoding?(val)
+          !just_encoding?(val)
+        end
+
+        def just_encoding?(val)
+          %i[hexencode bubblebabble].include?(val)
+        end
+
+        DEFAULT_ALLOWED = %w[
+          SHA256
+          SHA384
+          SHA512
+        ].freeze
+
+        def allowed_hash_functions
+          @allowed_hash_functions ||= cop_config.fetch('Allowed', DEFAULT_ALLOWED).map(&:downcase)
+        end
+
+        def alg_name(val)
+          return :nil if val.nil?
+          return val.to_s.downcase unless val.is_a?(RuboCop::AST::Node)
+
+          case val.type
+          when :sym, :str
+            val.children.first.to_s.downcase
+          else
+            val.type
+          end
+        end
+
+        def on_const(const_node)
+          add_offense(const_node, message: default_message) if insecure_const?(const_node) && !digest_uuid?(const_node)
+        end
+
+        def on_send(send_node)
+          if uuid_v3?(send_node) && !allowed_hash_functions.include?('md5')
+            add_offense(send_node, message: "uuid_v3 uses MD5, which is not allowed. Prefer: #{allowed_hash_functions.join(', ')}")
+          elsif uuid_v5?(send_node) && !allowed_hash_functions.include?('sha1')
+            add_offense(send_node, message: "uuid_v5 uses SHA1, which is not allowed. Prefer: #{allowed_hash_functions.join(', ')}")
+          elsif openssl_hmac_new?(send_node) && openssl_hmac_new_insecure?(send_node) ||
+              insecure_digest?(send_node) || insecure_hash_lookup?(send_node)
+            add_offense(send_node, message: default_message)
+          end
+        end
+
+        def default_message
+          "This hash function is not allowed. Prefer: #{allowed_hash_functions.join(', ')}"
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/cobalt.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'rubocop/cop/cobalt/insecure_hash_algorithm'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cobalt-rubocop
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Cobalt Engineering
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-10 00:00:00.000000000 Z
+date: 2022-01-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -16,70 +16,84 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.25.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.25.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.2
+        version: 1.13.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.9.2
+        version: 1.13.2
 - !ruby/object:Gem::Dependency
   name: rubocop-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.9.1
+        version: 2.13.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.9.1
+        version: 2.13.2
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.8.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: 2.8.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: 2.2.16
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 2.2.2
+        version: 2.2.16
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.10.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.10.0
 description: Ruby code linting for Cobalt Ruby repositories
 email:
 executables: []
@@ -92,6 +106,9 @@ files:
 - config/default.yml
 - config/rails.yml
 - config/rspec.yml
+- lib/rubocop/cobalt/version.rb
+- lib/rubocop/cop/cobalt.rb
+- lib/rubocop/cop/cobalt/insecure_hash_algorithm.rb
 homepage: https://github.com/cobalthq/cobalt-rubocop
 licenses:
 - MIT
@@ -115,7 +132,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.2.3
 signing_key:
 specification_version: 4
 summary: Cobalt RuboCop