erb_lint 0.0.37 → 0.1.1

data/lib/erb_lint/linters/erb_safety.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require 'better_html'
-require 'better_html/test_helper/safe_erb_tester'
+require "better_html"
+require "better_html/test_helper/safe_erb_tester"
 
 module ERBLint
   module Linters

data/lib/erb_lint/linters/extra_newline.rb

@@ -22,7 +22,7 @@ module ERBLint
 
       def autocorrect(_processed_source, offense)
         lambda do |corrector|
-          corrector.replace(offense.source_range, '')
+          corrector.replace(offense.source_range, "")
         end
       end
     end

data/lib/erb_lint/linters/final_newline.rb

@@ -28,7 +28,7 @@ module ERBLint
           if final_newline.empty?
             add_offense(
               processed_source.to_source_range(file_content.size...file_content.size),
-              'Missing a trailing newline at the end of the file.',
+              "Missing a trailing newline at the end of the file.",
               :insert
             )
           else
@@ -36,7 +36,7 @@ module ERBLint
               processed_source.to_source_range(
                 (file_content.size - final_newline.size + 1)...file_content.size
               ),
-              'Remove multiple trailing newline at the end of the file.',
+              "Remove multiple trailing newline at the end of the file.",
               :remove
             )
           end

data/lib/erb_lint/linters/hard_coded_string.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require "set"
-require 'better_html/tree/tag'
-require 'active_support/core_ext/string/inflections'
+require "better_html/tree/tag"
+require "active_support/core_ext/string/inflections"
 
 module ERBLint
   module Linters
@@ -13,17 +13,37 @@ module ERBLint
       MissingCorrector = Class.new(StandardError)
       MissingI18nLoadPath = Class.new(StandardError)
 
-      ALLOWED_CORRECTORS = %w(
-        I18nCorrector
-        RuboCop::Corrector::I18n::HardCodedString
-      )
-
-      NON_TEXT_TAGS = Set.new(%w(script style xmp iframe noembed noframes listing))
-      BLACK_LISTED_TEXT = Set.new(%w(       ))
+      ALLOWED_CORRECTORS = ["I18nCorrector", "RuboCop::Corrector::I18n::HardCodedString"]
+
+      NON_TEXT_TAGS = Set.new(["script", "style", "xmp", "iframe", "noembed", "noframes", "listing"])
+      TEXT_NOT_ALLOWED = Set.new([
+        " ",
+        "&",
+        "<",
+        ">",
+        """,
+        "©",
+        "®",
+        "™",
+        "…",
+        "—",
+        "•",
+        "“",
+        "”",
+        "‘",
+        "’",
+        "←",
+        "→",
+        "↓",
+        "↑",
+        " ",
+        " ",
+        " ",
+      ])
 
       class ConfigSchema < LinterConfig
         property :corrector, accepts: Hash, required: false, default: -> { {} }
-        property :i18n_load_path, accepts: String, required: false, default: ''
+        property :i18n_load_path, accepts: String, required: false, default: ""
       end
       self.config_schema = ConfigSchema
 
@@ -65,7 +85,7 @@ module ERBLint
         return unless string.strip.length > 1
         node = ::RuboCop::AST::StrNode.new(:str, [string])
         corrector = klass.new(node, processed_source.filename, corrector_i18n_load_path, offense.source_range)
-        corrector.autocorrect(tag_start: '<%= ', tag_end: ' %>')
+        corrector.autocorrect(tag_start: "<%= ", tag_end: " %>")
       rescue MissingCorrector, MissingI18nLoadPath
         nil
       end
@@ -73,20 +93,20 @@ module ERBLint
       private
 
       def check_string?(str)
-        string = str.gsub(/\s*/, '')
-        string.length > 1 && !BLACK_LISTED_TEXT.include?(string)
+        string = str.gsub(/\s*/, "")
+        string.length > 1 && !TEXT_NOT_ALLOWED.include?(string)
       end
 
       def load_corrector
-        corrector_name = @config['corrector'].fetch('name') { raise MissingCorrector }
+        corrector_name = @config["corrector"].fetch("name") { raise MissingCorrector }
         raise ForbiddenCorrector unless ALLOWED_CORRECTORS.include?(corrector_name)
-        require @config['corrector'].fetch('path') { raise MissingCorrector }
+        require @config["corrector"].fetch("path") { raise MissingCorrector }
 
         corrector_name.safe_constantize
       end
 
       def corrector_i18n_load_path
-        @config['corrector'].fetch('i18n_load_path') { raise MissingI18nLoadPath }
+        @config["corrector"].fetch("i18n_load_path") { raise MissingI18nLoadPath }
       end
 
       def non_text_tag?(processed_source, text_node)

data/lib/erb_lint/linters/no_javascript_tag_helper.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
-require 'better_html'
-require 'better_html/ast/node'
-require 'better_html/test_helper/ruby_node'
-require 'erb_lint/utils/block_map'
-require 'erb_lint/utils/ruby_to_erb'
+require "better_html"
+require "better_html/ast/node"
+require "better_html/test_helper/ruby_node"
+require "erb_lint/utils/block_map"
+require "erb_lint/utils/ruby_to_erb"
 
 module ERBLint
   module Linters
@@ -21,7 +21,7 @@ module ERBLint
         parser.ast.descendants(:erb).each do |erb_node|
           indicator_node, _, code_node, _ = *erb_node
           indicator = indicator_node&.loc&.source
-          next if indicator == '#'
+          next if indicator == "#"
           source = code_node.loc.source
 
           ruby_node =
@@ -63,10 +63,10 @@ module ERBLint
         return unless (0..2).cover?(argument_nodes.size)
 
         script_content = unless argument_nodes.first&.type?(:hash)
-          Utils::RubyToERB.ruby_to_erb(argument_nodes.first, '==')
+          Utils::RubyToERB.ruby_to_erb(argument_nodes.first, "==")
         end
         arguments = if argument_nodes.last&.type?(:hash)
-          ' ' + Utils::RubyToERB.html_options_to_tag_attributes(argument_nodes.last)
+          " " + Utils::RubyToERB.html_options_to_tag_attributes(argument_nodes.last)
         end
 
         return if end_node && script_content

data/lib/erb_lint/linters/partial_instance_variable.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module ERBLint
+  module Linters
+    # Checks for instance variables in partials.
+    class PartialInstanceVariable < Linter
+      include LinterRegistry
+
+      def run(processed_source)
+        instance_variable_regex = /\s@\w+/
+        return unless processed_source.filename.match?(/.*_.*.erb\z/) &&
+          processed_source.file_content.match?(instance_variable_regex)
+
+        add_offense(
+          processed_source.to_source_range(
+            processed_source.file_content =~ instance_variable_regex..processed_source.file_content.size
+          ),
+          "Instance variable detected in partial."
+        )
+      end
+    end
+  end
+end

data/lib/erb_lint/linters/require_input_autocomplete.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require "better_html"
+require "better_html/tree/tag"
+
+module ERBLint
+  module Linters
+    class RequireInputAutocomplete < Linter
+      include LinterRegistry
+
+      HTML_INPUT_TYPES_REQUIRING_AUTOCOMPLETE = [
+        "color",
+        "date",
+        "datetime-local",
+        "email",
+        "month",
+        "number",
+        "password",
+        "range",
+        "search",
+        "tel",
+        "text",
+        "time",
+        "url",
+        "week",
+      ].freeze
+
+      FORM_HELPERS_REQUIRING_AUTOCOMPLETE = [
+        :date_field_tag,
+        :color_field_tag,
+        :email_field_tag,
+        :text_field_tag,
+        :utf8_enforcer_tag,
+        :month_field_tag,
+        :number_field_tag,
+        :password_field_tag,
+        :search_field_tag,
+        :telephone_field_tag,
+        :time_field_tag,
+        :url_field_tag,
+        :week_field_tag,
+      ].freeze
+
+      def run(processed_source)
+        parser = processed_source.parser
+
+        find_html_input_tags(parser)
+        find_rails_helper_input_tags(parser)
+      end
+
+      private
+
+      def find_html_input_tags(parser)
+        parser.nodes_with_type(:tag).each do |tag_node|
+          tag = BetterHtml::Tree::Tag.from_node(tag_node)
+
+          autocomplete_attribute = tag.attributes["autocomplete"]
+          type_attribute = tag.attributes["type"]
+
+          next if !html_input_tag?(tag) || autocomplete_present?(autocomplete_attribute)
+          next unless html_type_requires_autocomplete_attribute?(type_attribute)
+
+          add_offense(
+            tag_node.to_a[1].loc,
+            "Input tag is missing an autocomplete attribute. If no "\
+            "autocomplete behaviour is desired, use the value `off` or `nope`.",
+            [autocomplete_attribute]
+          )
+        end
+      end
+
+      def autocomplete_present?(autocomplete_attribute)
+        autocomplete_attribute.present? && autocomplete_attribute.value_node.present?
+      end
+
+      def html_input_tag?(tag)
+        !tag.closing? && tag.name == "input"
+      end
+
+      def html_type_requires_autocomplete_attribute?(type_attribute)
+        type_present = type_attribute.present? && type_attribute.value_node.present?
+        type_present && HTML_INPUT_TYPES_REQUIRING_AUTOCOMPLETE.include?(type_attribute.value)
+      end
+
+      def find_rails_helper_input_tags(parser)
+        parser.ast.descendants(:erb).each do |erb_node|
+          indicator_node, _, code_node, _ = *erb_node
+          source = code_node.loc.source
+          ruby_node = extract_ruby_node(source)
+          send_node = ruby_node&.descendants(:send)&.first
+
+          next if code_comment?(indicator_node) ||
+            !ruby_node ||
+            !input_helper?(send_node) ||
+            source.include?("autocomplete")
+
+          add_offense(
+            erb_node.loc,
+            "Input field helper is missing an autocomplete attribute. If no "\
+            "autocomplete behaviour is desired, use the value `off` or `nope`.",
+            [erb_node, send_node]
+          )
+        end
+      end
+
+      def input_helper?(send_node)
+        FORM_HELPERS_REQUIRING_AUTOCOMPLETE.include?(send_node&.method_name)
+      end
+
+      def code_comment?(indicator_node)
+        indicator_node&.loc&.source == "#"
+      end
+
+      def extract_ruby_node(source)
+        BetterHtml::TestHelper::RubyNode.parse(source)
+      rescue ::Parser::SyntaxError
+        nil
+      end
+    end
+  end
+end

data/lib/erb_lint/linters/require_script_nonce.rb

@@ -0,0 +1,92 @@
+# frozen_string_literal: true
+
+require "better_html"
+require "better_html/tree/tag"
+
+module ERBLint
+  module Linters
+    # Allow inline script tags in ERB that have a nonce attribute.
+    # This only validates inline <script> tags, as well as rails helpers like javascript_tag.
+    class RequireScriptNonce < Linter
+      include LinterRegistry
+
+      def run(processed_source)
+        parser = processed_source.parser
+
+        find_html_script_tags(parser)
+        find_rails_helper_script_tags(parser)
+      end
+
+      private
+
+      def find_html_script_tags(parser)
+        parser.nodes_with_type(:tag).each do |tag_node|
+          tag = BetterHtml::Tree::Tag.from_node(tag_node)
+          nonce_attribute = tag.attributes["nonce"]
+
+          next if !html_javascript_tag?(tag) || nonce_present?(nonce_attribute)
+
+          add_offense(
+            tag_node.to_a[1].loc,
+            "Missing a nonce attribute. Use request.content_security_policy_nonce",
+            [nonce_attribute]
+          )
+        end
+      end
+
+      def nonce_present?(nonce_attribute)
+        nonce_attribute.present? && nonce_attribute.value_node.present?
+      end
+
+      def html_javascript_tag?(tag)
+        !tag.closing? &&
+          (tag.name == "script" && !html_javascript_type_attribute?(tag))
+      end
+
+      def html_javascript_type_attribute?(tag)
+        type_attribute = tag.attributes["type"]
+
+        type_attribute &&
+          type_attribute.value_node.present? &&
+          type_attribute.value_node.to_a[1] != "text/javascript" &&
+          type_attribute.value_node.to_a[1] != "application/javascript"
+      end
+
+      def find_rails_helper_script_tags(parser)
+        parser.ast.descendants(:erb).each do |erb_node|
+          indicator_node, _, code_node, _ = *erb_node
+          source = code_node.loc.source
+          ruby_node = extract_ruby_node(source)
+          send_node = ruby_node&.descendants(:send)&.first
+
+          next if code_comment?(indicator_node) ||
+            !ruby_node ||
+            !tag_helper?(send_node) ||
+            source.include?("nonce")
+
+          add_offense(
+            erb_node.loc,
+            "Missing a nonce attribute. Use nonce: true",
+            [erb_node, send_node]
+          )
+        end
+      end
+
+      def tag_helper?(send_node)
+        send_node&.method_name?(:javascript_tag) ||
+        send_node&.method_name?(:javascript_include_tag) ||
+        send_node&.method_name?(:javascript_pack_tag)
+      end
+
+      def code_comment?(indicator_node)
+        indicator_node&.loc&.source == "#"
+      end
+
+      def extract_ruby_node(source)
+        BetterHtml::TestHelper::RubyNode.parse(source)
+      rescue ::Parser::SyntaxError
+        nil
+      end
+    end
+  end
+end

data/lib/erb_lint/linters/right_trim.rb

@@ -8,7 +8,7 @@ module ERBLint
       include LinterRegistry
 
       class ConfigSchema < LinterConfig
-        property :enforced_style, accepts: ['-', '='], default: '-'
+        property :enforced_style, accepts: ["-", "="], default: "-"
       end
       self.config_schema = ConfigSchema
 

data/lib/erb_lint/linters/rubocop.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-require 'better_html'
-require 'tempfile'
-require 'erb_lint/utils/offset_corrector'
+require "better_html"
+require "tempfile"
+require "erb_lint/utils/offset_corrector"
 
 module ERBLint
   module Linters
@@ -25,7 +25,7 @@ module ERBLint
         super
         @only_cops = @config.only
         custom_config = config_from_hash(@config.rubocop_config)
-        @rubocop_config = ::RuboCop::ConfigLoader.merge_with_default(custom_config, '')
+        @rubocop_config = ::RuboCop::ConfigLoader.merge_with_default(custom_config, "")
       end
 
       def run(processed_source)
@@ -68,13 +68,13 @@ module ERBLint
 
       def inspect_content(processed_source, erb_node)
         indicator, _, code_node, = *erb_node
-        return if indicator&.children&.first == '#'
+        return if indicator&.children&.first == "#"
 
         original_source = code_node.loc.source
-        trimmed_source = original_source.sub(BLOCK_EXPR, '').sub(SUFFIX_EXPR, '')
+        trimmed_source = original_source.sub(BLOCK_EXPR, "").sub(SUFFIX_EXPR, "")
         alignment_column = code_node.loc.column
         offset = code_node.loc.begin_pos - alignment_column
-        aligned_source = "#{' ' * alignment_column}#{trimmed_source}"
+        aligned_source = "#{" " * alignment_column}#{trimmed_source}"
 
         source = rubocop_processed_source(aligned_source, processed_source.filename)
         return unless source.valid_syntax?
@@ -156,10 +156,10 @@ module ERBLint
       end
 
       def config_from_hash(hash)
-        inherit_from = hash&.delete('inherit_from')
+        inherit_from = hash&.delete("inherit_from")
         resolve_inheritance(hash, inherit_from)
 
-        tempfile_from('.erblint-rubocop', hash.to_yaml) do |tempfile|
+        tempfile_from(".erblint-rubocop", hash.to_yaml) do |tempfile|
           ::RuboCop::ConfigLoader.load_file(tempfile.path)
         end
       end
@@ -174,7 +174,7 @@ module ERBLint
       end
 
       def base_configs(inherit_from)
-        regex = URI::DEFAULT_PARSER.make_regexp(%w(http https))
+        regex = URI::DEFAULT_PARSER.make_regexp(["http", "https"])
         configs = Array(inherit_from).compact.map do |base_name|
           if base_name =~ /\A#{regex}\z/
             ::RuboCop::ConfigLoader.load_file(::RuboCop::RemoteConfig.new(base_name, Dir.pwd))
@@ -191,7 +191,7 @@ module ERBLint
           { rubocop_correction: correction, offset: offset, bound_range: bound_range }
         end
 
-        super(offense_range, rubocop_offense.message.strip, context)
+        super(offense_range, rubocop_offense.message.strip, context, rubocop_offense.severity.name)
       end
     end
   end