gitlab-styles 9.1.0 → 10.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50eab9da6dd93cfbda3c8a8877e6ac2f8ce8274d6f92116973e6c9c1ee590d5f
-  data.tar.gz: f7e187d901c89bb4d4ba4a40d72523b10c5148ef965d60b243e8c09c9bc21642
+  metadata.gz: be58fa1f46b81e0e8a73c3c85843048680518c23e846bcf54a1df301c53cfa18
+  data.tar.gz: 95f2466fb2ae6f5dcfcfce8b7e9343101588b9627f0c9c061c53beac597126e9
 SHA512:
-  metadata.gz: a9d90f34b3a3e6d97c6a791c5f91a26318b956751a77b2827f5370e15f8717bdf30cf30ddad0c63afd1f2335707d76dd948d1c7898c0d762f9b19389dea55d49
-  data.tar.gz: 9634b21fcc052557e12ebd277279089e4cfd325b88860c45a5250da554b0f14e378b7cdf8c9648d019649cd1396b327fc7cf10d48462622f00f1af888cd61b31
+  metadata.gz: cb13dbe44128173fc03b4dddf53cfdfb67a6e8d37ffc6f4c32a4e30c33ead6e686b6023c2cff9fe7fbf95600d518b508fb9b9b68ffbb07dc8686765f65f3f638
+  data.tar.gz: 6a2774df245a7c42725e8989a8683b4953d91f70f059c0ceb41450b1c305b375f4e150ecb9418a56f60833ce166eca335ce94ba3a03fb7cf29575c7b72cbd54f

data/.gitlab-ci.yml

@@ -25,15 +25,27 @@ styles:
     - bundle exec rubocop --debug --parallel
   parallel:
     matrix:
-      - RUBY_VERSION: ['2.7', '3.0']
+      - RUBY_VERSION: ['2.7', '3.0', '3.1', '3.2']
 
 specs:
   stage: test
   script:
+    # Disable simplecov for all Ruby version other than 3.0
+    - if [[ "$RUBY_VERSION" != "3.0" ]]; then export SIMPLECOV=0; fi
     - bundle exec rspec
   parallel:
     matrix:
-      - RUBY_VERSION: ['2.7', '3.0']
+      - RUBY_VERSION: ['2.7', '3.0', '3.1', '3.2']
+  artifacts:
+    name: coverage
+    expire_in: 31d
+    paths:
+      - coverage/index.html
+      - coverage/assets/
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage/coverage.xml
 
 include:
   - project: 'gitlab-org/quality/pipeline-common'

data/.rubocop.yml

@@ -1,12 +1,13 @@
 inherit_from:
+  - .rubocop_todo.yml
   - rubocop-default.yml
 
 require:
   - rubocop/cop/internal_affairs
+  - rubocop-rake
 
 AllCops:
   NewCops: disable # https://gitlab.com/gitlab-org/ruby/gems/gitlab-styles/-/issues/40
-  SuggestExtensions: false # https://gitlab.com/gitlab-org/ruby/gems/gitlab-styles/-/issues/39
 
 InternalAffairs/DeprecateCopHelper:
   Enabled: true

data/.rubocop_todo.yml

@@ -0,0 +1,12 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2023-01-11 12:59:00 UTC using RuboCop version 1.43.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+InternalAffairs/InheritDeprecatedCopClass:
+  Exclude:
+    - 'lib/rubocop/cop/gitlab_security/json_serialization.rb'

data/.tests_mapping.yml

@@ -0,0 +1,10 @@
+---
+mapping:
+  - source: 'lib/(.+)\.rb'
+    test: 'spec/%s_spec.rb'
+
+  - source: 'rubocop-.*\.yml'
+    test: 'spec/yml_spec.rb'
+
+  - source: '(spec/.*_spec\.rb)'
+    test: '%s'

data/Gemfile

@@ -6,12 +6,17 @@ source 'https://rubygems.org'
 gemspec
 
 group :development do
-  gem "lefthook", require: false
+  gem 'lefthook', require: false
+  gem 'test_file_finder', '~> 0.1.4'
 end
 
 group :test do
   # Pin these dependencies, otherwise a new rule could break the CI pipelines
-  gem 'rubocop', '1.38.0'
-  gem 'rubocop-rspec', '2.15.0'
-  gem 'rspec-parameterized', '0.5.2', require: false
+  gem 'rubocop', '1.43.0'
+  gem 'rubocop-rspec', '2.18.1'
+  gem 'rspec-parameterized-table_syntax', '1.0.0', require: false
+
+  gem 'simplecov', '~> 0.22.0', require: false
+  gem 'simplecov-html', '~> 0.12.3', require: false
+  gem 'simplecov-cobertura', '~> 2.1.0', require: false
 end

data/README.md

@@ -80,13 +80,6 @@ bundle exec rubocop -c .rubocop.yml
 lefthook install
 ```
 
-## Contributing
-
-Bug reports and merge requests are welcome on GitLab at
-https://gitlab.com/gitlab-org/gitlab-styles. This project is intended to be a
-safe, welcoming space for collaboration, and contributors are expected to adhere
-to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
-
 ## Release Process
 
 We release `gitlab-styles` on an ad-hoc basis. There is no regularity to when
@@ -98,10 +91,18 @@ To release a new version:
 1. Create a Merge Request.
 1. Use Merge Request template [Release.md](https://gitlab.com/gitlab-org/ruby/gems/gitlab-styles/-/blob/master/.gitlab/merge_request_templates/Release.md).
 1. Follow the instructions.
-1. A new gem version is [published automatically](https://gitlab.com/gitlab-org/quality/pipeline-common/-/blob/master/ci/gem-release.yml) after the Merge Request has been merged.
+1. (Optional, but appreciated) Create an MR on `gitlab-org/gitlab` project [with the `New Version of gitlab-styles.md` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/merge_request_templates/New%20Version%20of%20gitlab-styles.md) to test the new version of `gitlab-styles`, and follow the MR instructions.
+1. After the Merge Request has been merged, a new gem version is [published automatically](https://gitlab.com/gitlab-org/quality/pipeline-common/-/blob/master/ci/gem-release.yml)
 
 See [!123](https://gitlab.com/gitlab-org/ruby/gems/gitlab-styles/-/merge_requests/123) as an example.
 
+## Contributing
+
+Bug reports and merge requests are welcome on GitLab at
+https://gitlab.com/gitlab-org/gitlab-styles. This project is intended to be a
+safe, welcoming space for collaboration, and contributors are expected to adhere
+to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
 ## License
 
 The gem is available as open source under the terms of the

data/gitlab-styles.gemspec

@@ -22,15 +22,15 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'rubocop', '~> 1.38.0'
-  spec.add_dependency 'rubocop-gitlab-security', '~> 0.1.1'
-  spec.add_dependency 'rubocop-graphql', '~> 0.14'
-  spec.add_dependency 'rubocop-performance', '~> 1.14'
-  spec.add_dependency 'rubocop-rails', '~> 2.15'
-  spec.add_dependency 'rubocop-rspec', '~> 2.15'
+  spec.add_dependency 'rubocop', '~> 1.43.0'
+  spec.add_dependency 'rubocop-graphql', '~> 0.18'
+  spec.add_dependency 'rubocop-performance', '~> 1.15'
+  spec.add_dependency 'rubocop-rails', '~> 2.17'
+  spec.add_dependency 'rubocop-rspec', '~> 2.18'
 
   spec.add_development_dependency 'bundler', '~> 2.1'
   spec.add_development_dependency 'gitlab-dangerfiles', '~> 2.11.0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop-rake', '~> 0.6'
 end

data/lefthook.yml

@@ -10,7 +10,15 @@ pre-push:
       glob: '*.{rb,rake}'
       run: bundle exec rubocop --parallel --force-exclusion {files}
 
-    # Run all tests (warn if there are any missing tools required for tests).
+    # Run only relevant specs.
     rspec:
-      run: bundle exec rspec -f progress
-      glob: '*.rb'
+      files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD
+      run: |
+        tests=$(tff --mapping-file .tests_mapping.yml {files})
+        if [ "$tests" != "" ]; then
+          echo "bundle exec rspec --format progress $tests"
+          bundle exec rspec --format progress $tests
+        else
+          echo "No specs to run."
+          exit 0
+        fi

data/lib/gitlab/styles/version.rb

@@ -2,6 +2,6 @@
 
 module Gitlab
   module Styles
-    VERSION = '9.1.0'
+    VERSION = '10.0.0'
   end
 end

data/lib/rubocop/cop/active_record_dependent.rb

@@ -1,13 +1,9 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of `dependent: ...` in ActiveRecord models.
     class ActiveRecordDependent < RuboCop::Cop::Base
-      include Gitlab::Styles::Rubocop::ModelHelpers
-
       MSG = 'Do not use `dependent:` to remove associated data, ' \
             'use foreign keys with cascading deletes instead.'
 
@@ -15,7 +11,6 @@ module Rubocop
       ALLOWED_OPTIONS = [:restrict_with_error].freeze
 
       def on_send(node)
-        return unless in_model?(node)
         return unless METHOD_NAMES.include?(node.children[1])
 
         node.children.last.each_node(:pair) do |pair|

data/lib/rubocop/cop/active_record_serialize.rb

@@ -1,18 +1,12 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of `serialize` in ActiveRecord models.
     class ActiveRecordSerialize < RuboCop::Cop::Base
-      include Gitlab::Styles::Rubocop::ModelHelpers
-
       MSG = 'Do not store serialized data in the database, use separate columns and/or tables instead'
 
       def on_send(node)
-        return unless in_model?(node)
-
         add_offense(node.loc.selector) if node.children[1] == :serialize
       end
     end

data/lib/rubocop/cop/avoid_return_from_blocks.rb

@@ -23,7 +23,7 @@ module Rubocop
     class AvoidReturnFromBlocks < RuboCop::Cop::Base
       MSG = 'Do not return from a block, use next or break instead.'
       DEF_METHODS = %i[define_method lambda].freeze
-      WHITELISTED_METHODS = %i[each each_filename times loop].freeze
+      ALLOWED_METHODS = %i[each each_filename times loop].freeze
 
       def on_block(node)
         block_body = node.body
@@ -32,7 +32,7 @@ module Rubocop
         return unless top_block?(node)
 
         block_body.each_node(:return) do |return_node|
-          next if parent_blocks(node, return_node).all? { |block| whitelisted?(block) }
+          next if parent_blocks(node, return_node).all? { |block| allowed?(block) }
 
           add_offense(return_node)
         end
@@ -71,8 +71,8 @@ module Rubocop
           (node.block_type? && DEF_METHODS.include?(node.method_name))
       end
 
-      def whitelisted?(block_node)
-        WHITELISTED_METHODS.include?(block_node.method_name)
+      def allowed?(block_node)
+        ALLOWED_METHODS.include?(block_node.method_name)
       end
     end
   end

data/lib/rubocop/cop/gem_fetcher.rb

@@ -6,31 +6,29 @@ module Rubocop
     # `Gemfile` in order to avoid additional points of failure beyond
     # rubygems.org.
     class GemFetcher < RuboCop::Cop::Base
-      MSG = 'Do not use gems from git repositories, only use gems from RubyGems.'
+      MSG = 'Do not use gems from git repositories, only use gems from RubyGems or vendored gems. ' \
+            'See https://docs.gitlab.com/ee/development/gemfile.html#no-gems-fetched-from-git-repositories'
 
-      GIT_KEYS = [:git, :github].freeze
+      # See https://bundler.io/guides/git.html#custom-git-sources
+      GIT_SOURCES = %i[git github gist bitbucket].freeze
 
-      def on_send(node)
-        return unless gemfile?(node)
-
-        func_name = node.children[1]
-        return unless func_name == :gem
+      # @!method gem_option(node)
+      def_node_matcher :gem_option, <<~PATTERN
+        (send nil? :gem _ ...
+          (hash
+            <$(pair (sym {#{GIT_SOURCES.map(&:inspect).join(' ')}}) _)
+            ...>
+          )
+        )
+      PATTERN
 
-        node.children.last.each_node(:pair) do |pair|
-          key_name = pair.children[0].children[0].to_sym
-          add_offense(pair.source_range) if GIT_KEYS.include?(key_name)
-        end
-      end
+      RESTRICT_ON_SEND = %i[gem].freeze
 
-      private
+      def on_send(node)
+        pair_node = gem_option(node)
+        return unless pair_node
 
-      def gemfile?(node)
-        node
-          .location
-          .expression
-          .source_buffer
-          .name
-          .end_with?("Gemfile")
+        add_offense(pair_node)
       end
     end
   end

data/lib/rubocop/cop/gitlab_security/deep_munge.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for disabling the deep munge security control.
+      #
+      # Disabling this security setting can leave the application open to unsafe
+      # query generation
+      #
+      # @example
+      #
+      #   # bad
+      #   config.action_dispatch.perform_deep_munge = false
+      #
+      # See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
+      class DeepMunge < RuboCop::Cop::Base
+        MSG = 'Never disable the deep munge security option.'
+
+        # @!method disable_deep_munge?(node)
+        def_node_matcher :disable_deep_munge?, <<-PATTERN
+          (send
+            (send (send nil? :config) :action_dispatch) :perform_deep_munge=
+              { (false) (send true :!) }
+          )
+        PATTERN
+
+        def on_send(node)
+          return unless disable_deep_munge?(node)
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/json_serialization.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for `to_json` / `as_json` without allowing via `only`.
+      #
+      # Either method called on an instance of a `Serializer` class will be
+      # ignored. Associations included via `include` are subject to the same
+      # rules.
+      #
+      # @example
+      #
+      #   # bad
+      #   render json: @user.to_json
+      #   render json: @user.to_json(except: %i[password])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: [:identities]
+      #   )
+      #
+      #   # acceptable
+      #   render json: UserSerializer.new.to_json
+      #
+      #   # good
+      #   render json: @user.to_json(only: %i[name username])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: { identities: { only: %i[provider] } }
+      #   )
+      #
+      # See https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
+      class JsonSerialization < RuboCop::Cop::Cop
+        MSG = "Don't use `%s` without specifying `only`"
+
+        # Check for `to_json` sent to any object that's not a Hash literal or
+        # Serializer instance
+        # @!method json_serialization?(node)
+        def_node_matcher :json_serialization?, <<~PATTERN
+          (send !{nil? hash #serializer?} ${:to_json :as_json} $...)
+        PATTERN
+
+        # Check if node is a `only: ...` pair
+        # @!method only_pair?(node)
+        def_node_matcher :only_pair?, <<~PATTERN
+          (pair (sym :only) ...)
+        PATTERN
+
+        # Check if node is a `include: {...}` pair
+        # @!method include_pair?(node)
+        def_node_matcher :include_pair?, <<~PATTERN
+          (pair (sym :include) (hash $...))
+        PATTERN
+
+        # Check for a `only: [...]` pair anywhere in the node
+        # @!method contains_only?(node)
+        def_node_search :contains_only?, <<~PATTERN
+          (pair (sym :only) (array ...))
+        PATTERN
+
+        # Check for `SomeConstant.new`
+        # @!method constant_init(node)
+        def_node_search :constant_init, <<~PATTERN
+          (send (const nil? $_) :new ...)
+        PATTERN
+
+        def on_send(node)
+          matched = json_serialization?(node)
+          return unless matched
+
+          @_has_top_level_only = false
+          @method = matched.first
+
+          if matched.last.nil? || matched.last.empty?
+            # Empty `to_json` call
+            add_offense(node, location: :selector, message: format_message)
+          else
+            check_arguments(node, matched)
+          end
+        end
+
+        private
+
+        def format_message
+          format(MSG, @method)
+        end
+
+        def serializer?(node)
+          constant_init(node).any? { |name| name.to_s.end_with?('Serializer') }
+        end
+
+        def check_arguments(node, matched)
+          options = matched.last.first
+
+          # If `to_json` was given an argument that isn't a Hash, we don't
+          # know what to do here, so just move along
+          return unless options.hash_type?
+
+          options.each_child_node do |child_node|
+            check_pair(child_node)
+          end
+
+          return unless requires_only?
+
+          # Add a top-level offense for the entire argument list, but only if
+          # we haven't yet added any offenses to the child Hash values (such
+          # as `include`)
+          add_offense(node.children.last, message: format_message)
+        end
+
+        def check_pair(pair)
+          if only_pair?(pair)
+            @_has_top_level_only = true
+          elsif include_pair?(pair)
+            includes = pair.value
+
+            includes.each_child_node do |child_node|
+              next if contains_only?(child_node)
+
+              add_offense(child_node, message: format_message)
+            end
+          end
+        end
+
+        def requires_only?
+          return false if @_has_top_level_only
+
+          offenses.count.zero?
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/public_send.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for the use of `public_send`, `send`, and `__send__` methods.
+      #
+      # If passed untrusted input these methods can be used to execute arbitrary
+      # methods on behalf of an attacker.
+      #
+      # @example
+      #
+      #   # bad
+      #   myobj.public_send("#{params[:foo]}")
+      #
+      #   # good
+      #   case params[:foo].to_s
+      #   when 'choice1'
+      #     items.choice1
+      #   when 'choice2'
+      #     items.choice2
+      #   when 'choice3'
+      #     items.choice3
+      #   end
+      class PublicSend < RuboCop::Cop::Base
+        MSG = 'Avoid using `%s`.'
+
+        RESTRICT_ON_SEND = %i[send public_send __send__].freeze
+
+        # @!method send?(node)
+        def_node_matcher :send?, <<-PATTERN
+          ({csend | send} _ ${:send :public_send :__send__} ...)
+        PATTERN
+
+        def on_send(node)
+          send?(node) do |match|
+            next unless node.arguments?
+
+            add_offense(node.loc.selector, message: format(MSG, match))
+          end
+        end
+
+        alias_method :on_csend, :on_send
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of redirect_to(params.update())
+      #
+      # Passing user params to the redirect_to method provides an open redirect
+      #
+      # @example
+      #
+      #   # bad
+      #   redirect_to(params.update(action: 'main'))
+      #
+      #   # good
+      #   redirect_to(allowed(params))
+      #
+      class RedirectToParamsUpdate < RuboCop::Cop::Base
+        MSG = 'Avoid using `redirect_to(params.%<name>s(...))`. ' \
+              'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'
+
+        # @!method redirect_to_params_update_node(node)
+        def_node_matcher :redirect_to_params_update_node, <<-PATTERN
+           (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
+        PATTERN
+
+        def on_send(node)
+          selected, name = redirect_to_params_update_node(node)
+          return unless name
+
+          message = format(MSG, name: name)
+
+          add_offense(selected, message: message)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/send_file_params.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of send_file(..., params[], ...)
+      #
+      # Passing user params to the send_file() method allows directory traversal
+      #
+      # @example
+      #
+      #   # bad
+      #   send_file("/tmp/myproj/" + params[:filename])
+      #
+      #   # good (verify directory)
+
+      #   basename = File.expand_path("/tmp/myproj")
+      #   filename = File.expand_path(File.join(basename, @file.public_filename))
+      #   raise if basename != filename
+      #   send_file filename, disposition: 'inline'
+      #
+      class SendFileParams < RuboCop::Cop::Base
+        MSG = 'Do not pass user provided params directly to send_file(), ' \
+              'verify the path with file.expand_path() first.'
+
+        # @!method params_node?(node)
+        def_node_search :params_node?, <<-PATTERN
+           (send (send nil? :params) ... )
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:send_file)
+          return unless node.arguments.any? { |e| params_node?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/sql_injection.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of where("name = '#{params[:name]}'")
+      #
+      # Passing user input to where() without parameterization can result in SQL Injection
+      #
+      # @example
+      #
+      #   # bad
+      #   u = User.where("name = '#{params[:name]}'")
+      #
+      #   # good (parameters)
+      #   u = User.where("name = ? AND id = ?", params[:name], params[:id])
+      #   u = User.where(name: params[:name], id: params[:id])
+      #
+      class SqlInjection < RuboCop::Cop::Base
+        MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'
+
+        # @!method where_user_input?(node)
+        def_node_matcher :where_user_input?, <<-PATTERN
+          (send _ :where ...)
+        PATTERN
+
+        # @!method string_var_string?(node)
+        def_node_matcher :string_var_string?, <<-PATTERN
+          (dstr (str ...) (begin ...) (str ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless where_user_input?(node)
+          return unless node.arguments.any? { |e| string_var_string?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end