erb_lint 0.0.35 → 0.1.1

data/lib/erb_lint/linters/closing_erb_tag_indent.rb

@@ -25,7 +25,7 @@ module ERBLint
             add_offense(
               code_node.loc.end.adjust(begin_pos: -end_spaces.size),
               "Remove newline before `%>` to match start of tag.",
-              ' '
+              " "
             )
           elsif start_with_newline && !end_with_newline
             add_offense(
@@ -39,7 +39,7 @@ module ERBLint
               add_offense(
                 code_node.loc.end.adjust(begin_pos: -current_indent.size),
                 "Indent `%>` on column #{erb_node.loc.column} to match start of tag.",
-                ' ' * erb_node.loc.column
+                " " * erb_node.loc.column
               )
             end
           end

data/lib/erb_lint/linters/deprecated_classes.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require 'better_html'
-require 'better_html/parser'
+require "better_html"
+require "better_html/parser"
 
 module ERBLint
   module Linters
@@ -11,7 +11,7 @@ module ERBLint
 
       class RuleSet
         include SmartProperties
-        property :suggestion, accepts: String, default: ''
+        property :suggestion, accepts: String, default: ""
         property :deprecated, accepts: LinterConfig.array_of?(String), default: -> { [] }
       end
 
@@ -57,9 +57,9 @@ module ERBLint
       def class_name_with_loc(processed_source)
         Enumerator.new do |yielder|
           tags(processed_source).each do |tag|
-            class_value = tag.attributes['class']&.value
+            class_value = tag.attributes["class"]&.value
             next unless class_value
-            class_value.split(' ').each do |class_name|
+            class_value.split(" ").each do |class_name|
               yielder.yield(class_name, tag.loc)
             end
           end
@@ -69,7 +69,7 @@ module ERBLint
       def text_tags_content(processed_source)
         Enumerator.new do |yielder|
           script_tags(processed_source)
-            .select { |tag| tag.attributes['type']&.value == 'text/html' }
+            .select { |tag| tag.attributes["type"]&.value == "text/html" }
             .each do |tag|
               index = processed_source.ast.to_a.find_index(tag.node)
               next_node = processed_source.ast.to_a[index + 1]
@@ -80,7 +80,7 @@ module ERBLint
       end
 
       def script_tags(processed_source)
-        tags(processed_source).select { |tag| tag.name == 'script' }
+        tags(processed_source).select { |tag| tag.name == "script" }
       end
 
       def tags(processed_source)

data/lib/erb_lint/linters/erb_safety.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require 'better_html'
-require 'better_html/test_helper/safe_erb_tester'
+require "better_html"
+require "better_html/test_helper/safe_erb_tester"
 
 module ERBLint
   module Linters

data/lib/erb_lint/linters/extra_newline.rb

@@ -22,7 +22,7 @@ module ERBLint
 
       def autocorrect(_processed_source, offense)
         lambda do |corrector|
-          corrector.replace(offense.source_range, '')
+          corrector.replace(offense.source_range, "")
         end
       end
     end

data/lib/erb_lint/linters/final_newline.rb

@@ -28,7 +28,7 @@ module ERBLint
           if final_newline.empty?
             add_offense(
               processed_source.to_source_range(file_content.size...file_content.size),
-              'Missing a trailing newline at the end of the file.',
+              "Missing a trailing newline at the end of the file.",
               :insert
             )
           else
@@ -36,7 +36,7 @@ module ERBLint
               processed_source.to_source_range(
                 (file_content.size - final_newline.size + 1)...file_content.size
               ),
-              'Remove multiple trailing newline at the end of the file.',
+              "Remove multiple trailing newline at the end of the file.",
               :remove
             )
           end

data/lib/erb_lint/linters/hard_coded_string.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require "set"
-require 'better_html/tree/tag'
-require 'active_support/core_ext/string/inflections'
+require "better_html/tree/tag"
+require "active_support/core_ext/string/inflections"
 
 module ERBLint
   module Linters
@@ -13,17 +13,37 @@ module ERBLint
       MissingCorrector = Class.new(StandardError)
       MissingI18nLoadPath = Class.new(StandardError)
 
-      ALLOWED_CORRECTORS = %w(
-        I18nCorrector
-        RuboCop::Corrector::I18n::HardCodedString
-      )
-
-      NON_TEXT_TAGS = Set.new(%w(script style xmp iframe noembed noframes listing))
-      BLACK_LISTED_TEXT = Set.new(%w(       ))
+      ALLOWED_CORRECTORS = ["I18nCorrector", "RuboCop::Corrector::I18n::HardCodedString"]
+
+      NON_TEXT_TAGS = Set.new(["script", "style", "xmp", "iframe", "noembed", "noframes", "listing"])
+      TEXT_NOT_ALLOWED = Set.new([
+        " ",
+        "&",
+        "<",
+        ">",
+        """,
+        "©",
+        "®",
+        "™",
+        "…",
+        "—",
+        "•",
+        "“",
+        "”",
+        "‘",
+        "’",
+        "←",
+        "→",
+        "↓",
+        "↑",
+        " ",
+        " ",
+        " ",
+      ])
 
       class ConfigSchema < LinterConfig
         property :corrector, accepts: Hash, required: false, default: -> { {} }
-        property :i18n_load_path, accepts: String, required: false, default: ''
+        property :i18n_load_path, accepts: String, required: false, default: ""
       end
       self.config_schema = ConfigSchema
 
@@ -65,7 +85,7 @@ module ERBLint
         return unless string.strip.length > 1
         node = ::RuboCop::AST::StrNode.new(:str, [string])
         corrector = klass.new(node, processed_source.filename, corrector_i18n_load_path, offense.source_range)
-        corrector.autocorrect(tag_start: '<%= ', tag_end: ' %>')
+        corrector.autocorrect(tag_start: "<%= ", tag_end: " %>")
       rescue MissingCorrector, MissingI18nLoadPath
         nil
       end
@@ -73,20 +93,20 @@ module ERBLint
       private
 
       def check_string?(str)
-        string = str.gsub(/\s*/, '')
-        string.length > 1 && !BLACK_LISTED_TEXT.include?(string)
+        string = str.gsub(/\s*/, "")
+        string.length > 1 && !TEXT_NOT_ALLOWED.include?(string)
       end
 
       def load_corrector
-        corrector_name = @config['corrector'].fetch('name') { raise MissingCorrector }
+        corrector_name = @config["corrector"].fetch("name") { raise MissingCorrector }
         raise ForbiddenCorrector unless ALLOWED_CORRECTORS.include?(corrector_name)
-        require @config['corrector'].fetch('path') { raise MissingCorrector }
+        require @config["corrector"].fetch("path") { raise MissingCorrector }
 
         corrector_name.safe_constantize
       end
 
       def corrector_i18n_load_path
-        @config['corrector'].fetch('i18n_load_path') { raise MissingI18nLoadPath }
+        @config["corrector"].fetch("i18n_load_path") { raise MissingI18nLoadPath }
       end
 
       def non_text_tag?(processed_source, text_node)

data/lib/erb_lint/linters/no_javascript_tag_helper.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
-require 'better_html'
-require 'better_html/ast/node'
-require 'better_html/test_helper/ruby_node'
-require 'erb_lint/utils/block_map'
-require 'erb_lint/utils/ruby_to_erb'
+require "better_html"
+require "better_html/ast/node"
+require "better_html/test_helper/ruby_node"
+require "erb_lint/utils/block_map"
+require "erb_lint/utils/ruby_to_erb"
 
 module ERBLint
   module Linters
@@ -21,7 +21,7 @@ module ERBLint
         parser.ast.descendants(:erb).each do |erb_node|
           indicator_node, _, code_node, _ = *erb_node
           indicator = indicator_node&.loc&.source
-          next if indicator == '#'
+          next if indicator == "#"
           source = code_node.loc.source
 
           ruby_node =
@@ -63,10 +63,10 @@ module ERBLint
         return unless (0..2).cover?(argument_nodes.size)
 
         script_content = unless argument_nodes.first&.type?(:hash)
-          Utils::RubyToERB.ruby_to_erb(argument_nodes.first, '==')
+          Utils::RubyToERB.ruby_to_erb(argument_nodes.first, "==")
         end
         arguments = if argument_nodes.last&.type?(:hash)
-          ' ' + Utils::RubyToERB.html_options_to_tag_attributes(argument_nodes.last)
+          " " + Utils::RubyToERB.html_options_to_tag_attributes(argument_nodes.last)
         end
 
         return if end_node && script_content

data/lib/erb_lint/linters/partial_instance_variable.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module ERBLint
+  module Linters
+    # Checks for instance variables in partials.
+    class PartialInstanceVariable < Linter
+      include LinterRegistry
+
+      def run(processed_source)
+        instance_variable_regex = /\s@\w+/
+        return unless processed_source.filename.match?(/.*_.*.erb\z/) &&
+          processed_source.file_content.match?(instance_variable_regex)
+
+        add_offense(
+          processed_source.to_source_range(
+            processed_source.file_content =~ instance_variable_regex..processed_source.file_content.size
+          ),
+          "Instance variable detected in partial."
+        )
+      end
+    end
+  end
+end

data/lib/erb_lint/linters/require_input_autocomplete.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require "better_html"
+require "better_html/tree/tag"
+
+module ERBLint
+  module Linters
+    class RequireInputAutocomplete < Linter
+      include LinterRegistry
+
+      HTML_INPUT_TYPES_REQUIRING_AUTOCOMPLETE = [
+        "color",
+        "date",
+        "datetime-local",
+        "email",
+        "month",
+        "number",
+        "password",
+        "range",
+        "search",
+        "tel",
+        "text",
+        "time",
+        "url",
+        "week",
+      ].freeze
+
+      FORM_HELPERS_REQUIRING_AUTOCOMPLETE = [
+        :date_field_tag,
+        :color_field_tag,
+        :email_field_tag,
+        :text_field_tag,
+        :utf8_enforcer_tag,
+        :month_field_tag,
+        :number_field_tag,
+        :password_field_tag,
+        :search_field_tag,
+        :telephone_field_tag,
+        :time_field_tag,
+        :url_field_tag,
+        :week_field_tag,
+      ].freeze
+
+      def run(processed_source)
+        parser = processed_source.parser
+
+        find_html_input_tags(parser)
+        find_rails_helper_input_tags(parser)
+      end
+
+      private
+
+      def find_html_input_tags(parser)
+        parser.nodes_with_type(:tag).each do |tag_node|
+          tag = BetterHtml::Tree::Tag.from_node(tag_node)
+
+          autocomplete_attribute = tag.attributes["autocomplete"]
+          type_attribute = tag.attributes["type"]
+
+          next if !html_input_tag?(tag) || autocomplete_present?(autocomplete_attribute)
+          next unless html_type_requires_autocomplete_attribute?(type_attribute)
+
+          add_offense(
+            tag_node.to_a[1].loc,
+            "Input tag is missing an autocomplete attribute. If no "\
+            "autocomplete behaviour is desired, use the value `off` or `nope`.",
+            [autocomplete_attribute]
+          )
+        end
+      end
+
+      def autocomplete_present?(autocomplete_attribute)
+        autocomplete_attribute.present? && autocomplete_attribute.value_node.present?
+      end
+
+      def html_input_tag?(tag)
+        !tag.closing? && tag.name == "input"
+      end
+
+      def html_type_requires_autocomplete_attribute?(type_attribute)
+        type_present = type_attribute.present? && type_attribute.value_node.present?
+        type_present && HTML_INPUT_TYPES_REQUIRING_AUTOCOMPLETE.include?(type_attribute.value)
+      end
+
+      def find_rails_helper_input_tags(parser)
+        parser.ast.descendants(:erb).each do |erb_node|
+          indicator_node, _, code_node, _ = *erb_node
+          source = code_node.loc.source
+          ruby_node = extract_ruby_node(source)
+          send_node = ruby_node&.descendants(:send)&.first
+
+          next if code_comment?(indicator_node) ||
+            !ruby_node ||
+            !input_helper?(send_node) ||
+            source.include?("autocomplete")
+
+          add_offense(
+            erb_node.loc,
+            "Input field helper is missing an autocomplete attribute. If no "\
+            "autocomplete behaviour is desired, use the value `off` or `nope`.",
+            [erb_node, send_node]
+          )
+        end
+      end
+
+      def input_helper?(send_node)
+        FORM_HELPERS_REQUIRING_AUTOCOMPLETE.include?(send_node&.method_name)
+      end
+
+      def code_comment?(indicator_node)
+        indicator_node&.loc&.source == "#"
+      end
+
+      def extract_ruby_node(source)
+        BetterHtml::TestHelper::RubyNode.parse(source)
+      rescue ::Parser::SyntaxError
+        nil
+      end
+    end
+  end
+end

data/lib/erb_lint/linters/require_script_nonce.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require "better_html"
+require "better_html/tree/tag"
+
+module ERBLint
+  module Linters
+    # Allow inline script tags in ERB that have a nonce attribute.
+    # This only validates inline <script> tags, as well as rails helpers like javascript_tag.
+    class RequireScriptNonce < Linter
+      include LinterRegistry
+
+      def run(processed_source)
+        parser = processed_source.parser
+
+        find_html_script_tags(parser)
+        find_rails_helper_script_tags(parser)
+      end
+
+      private
+
+      def find_html_script_tags(parser)
+        parser.nodes_with_type(:tag).each do |tag_node|
+          tag = BetterHtml::Tree::Tag.from_node(tag_node)
+          nonce_attribute = tag.attributes["nonce"]
+
+          next if !html_javascript_tag?(tag) || nonce_present?(nonce_attribute)
+
+          add_offense(
+            tag_node.to_a[1].loc,
+            "Missing a nonce attribute. Use request.content_security_policy_nonce",
+            [nonce_attribute]
+          )
+        end
+      end
+
+      def nonce_present?(nonce_attribute)
+        nonce_attribute.present? && nonce_attribute.value_node.present?
+      end
+
+      def html_javascript_tag?(tag)
+        !tag.closing? &&
+          (tag.name == "script" && !html_javascript_type_attribute?(tag))
+      end
+
+      def html_javascript_type_attribute?(tag)
+        type_attribute = tag.attributes["type"]
+
+        type_attribute &&
+          type_attribute.value_node.present? &&
+          type_attribute.value_node.to_a[1] != "text/javascript" &&
+          type_attribute.value_node.to_a[1] != "application/javascript"
+      end
+
+      def find_rails_helper_script_tags(parser)
+        parser.ast.descendants(:erb).each do |erb_node|
+          indicator_node, _, code_node, _ = *erb_node
+          source = code_node.loc.source
+          ruby_node = extract_ruby_node(source)
+          send_node = ruby_node&.descendants(:send)&.first
+
+          next if code_comment?(indicator_node) ||
+            !ruby_node ||
+            !tag_helper?(send_node) ||
+            source.include?("nonce")
+
+          add_offense(
+            erb_node.loc,
+            "Missing a nonce attribute. Use nonce: true",
+            [erb_node, send_node]
+          )
+        end
+      end
+
+      def tag_helper?(send_node)
+        send_node&.method_name?(:javascript_tag) ||
+        send_node&.method_name?(:javascript_include_tag) ||
+        send_node&.method_name?(:javascript_pack_tag)
+      end
+
+      def code_comment?(indicator_node)
+        indicator_node&.loc&.source == "#"
+      end
+
+      def extract_ruby_node(source)
+        BetterHtml::TestHelper::RubyNode.parse(source)
+      rescue ::Parser::SyntaxError
+        nil
+      end
+    end
+  end
+end