gitlab-styles 9.2.0 → 10.1.0

data/lib/rubocop/cop/gitlab_security/json_serialization.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for `to_json` / `as_json` without allowing via `only`.
+      #
+      # Either method called on an instance of a `Serializer` class will be
+      # ignored. Associations included via `include` are subject to the same
+      # rules.
+      #
+      # @example
+      #
+      #   # bad
+      #   render json: @user.to_json
+      #   render json: @user.to_json(except: %i[password])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: [:identities]
+      #   )
+      #
+      #   # acceptable
+      #   render json: UserSerializer.new.to_json
+      #
+      #   # good
+      #   render json: @user.to_json(only: %i[name username])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: { identities: { only: %i[provider] } }
+      #   )
+      #
+      # See https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
+      class JsonSerialization < RuboCop::Cop::Cop
+        MSG = "Don't use `%s` without specifying `only`"
+
+        # Check for `to_json` sent to any object that's not a Hash literal or
+        # Serializer instance
+        # @!method json_serialization?(node)
+        def_node_matcher :json_serialization?, <<~PATTERN
+          (send !{nil? hash #serializer?} ${:to_json :as_json} $...)
+        PATTERN
+
+        # Check if node is a `only: ...` pair
+        # @!method only_pair?(node)
+        def_node_matcher :only_pair?, <<~PATTERN
+          (pair (sym :only) ...)
+        PATTERN
+
+        # Check if node is a `include: {...}` pair
+        # @!method include_pair?(node)
+        def_node_matcher :include_pair?, <<~PATTERN
+          (pair (sym :include) (hash $...))
+        PATTERN
+
+        # Check for a `only: [...]` pair anywhere in the node
+        # @!method contains_only?(node)
+        def_node_search :contains_only?, <<~PATTERN
+          (pair (sym :only) (array ...))
+        PATTERN
+
+        # Check for `SomeConstant.new`
+        # @!method constant_init(node)
+        def_node_search :constant_init, <<~PATTERN
+          (send (const nil? $_) :new ...)
+        PATTERN
+
+        def on_send(node)
+          matched = json_serialization?(node)
+          return unless matched
+
+          @_has_top_level_only = false
+          @method = matched.first
+
+          if matched.last.nil? || matched.last.empty?
+            # Empty `to_json` call
+            add_offense(node, location: :selector, message: format_message)
+          else
+            check_arguments(node, matched)
+          end
+        end
+
+        private
+
+        def format_message
+          format(MSG, @method)
+        end
+
+        def serializer?(node)
+          constant_init(node).any? { |name| name.to_s.end_with?('Serializer') }
+        end
+
+        def check_arguments(node, matched)
+          options = matched.last.first
+
+          # If `to_json` was given an argument that isn't a Hash, we don't
+          # know what to do here, so just move along
+          return unless options.hash_type?
+
+          options.each_child_node do |child_node|
+            check_pair(child_node)
+          end
+
+          return unless requires_only?
+
+          # Add a top-level offense for the entire argument list, but only if
+          # we haven't yet added any offenses to the child Hash values (such
+          # as `include`)
+          add_offense(node.children.last, message: format_message)
+        end
+
+        def check_pair(pair)
+          if only_pair?(pair)
+            @_has_top_level_only = true
+          elsif include_pair?(pair)
+            includes = pair.value
+
+            includes.each_child_node do |child_node|
+              next if contains_only?(child_node)
+
+              add_offense(child_node, message: format_message)
+            end
+          end
+        end
+
+        def requires_only?
+          return false if @_has_top_level_only
+
+          offenses.count.zero?
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/public_send.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for the use of `public_send`, `send`, and `__send__` methods.
+      #
+      # If passed untrusted input these methods can be used to execute arbitrary
+      # methods on behalf of an attacker.
+      #
+      # @example
+      #
+      #   # bad
+      #   myobj.public_send("#{params[:foo]}")
+      #
+      #   # good
+      #   case params[:foo].to_s
+      #   when 'choice1'
+      #     items.choice1
+      #   when 'choice2'
+      #     items.choice2
+      #   when 'choice3'
+      #     items.choice3
+      #   end
+      class PublicSend < RuboCop::Cop::Base
+        MSG = 'Avoid using `%s`.'
+
+        RESTRICT_ON_SEND = %i[send public_send __send__].freeze
+
+        # @!method send?(node)
+        def_node_matcher :send?, <<-PATTERN
+          ({csend | send} _ ${:send :public_send :__send__} ...)
+        PATTERN
+
+        def on_send(node)
+          send?(node) do |match|
+            next unless node.arguments?
+
+            add_offense(node.loc.selector, message: format(MSG, match))
+          end
+        end
+
+        alias_method :on_csend, :on_send
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of redirect_to(params.update())
+      #
+      # Passing user params to the redirect_to method provides an open redirect
+      #
+      # @example
+      #
+      #   # bad
+      #   redirect_to(params.update(action: 'main'))
+      #
+      #   # good
+      #   redirect_to(allowed(params))
+      #
+      class RedirectToParamsUpdate < RuboCop::Cop::Base
+        MSG = 'Avoid using `redirect_to(params.%<name>s(...))`. ' \
+              'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'
+
+        # @!method redirect_to_params_update_node(node)
+        def_node_matcher :redirect_to_params_update_node, <<-PATTERN
+           (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
+        PATTERN
+
+        def on_send(node)
+          selected, name = redirect_to_params_update_node(node)
+          return unless name
+
+          message = format(MSG, name: name)
+
+          add_offense(selected, message: message)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/send_file_params.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of send_file(..., params[], ...)
+      #
+      # Passing user params to the send_file() method allows directory traversal
+      #
+      # @example
+      #
+      #   # bad
+      #   send_file("/tmp/myproj/" + params[:filename])
+      #
+      #   # good (verify directory)
+
+      #   basename = File.expand_path("/tmp/myproj")
+      #   filename = File.expand_path(File.join(basename, @file.public_filename))
+      #   raise if basename != filename
+      #   send_file filename, disposition: 'inline'
+      #
+      class SendFileParams < RuboCop::Cop::Base
+        MSG = 'Do not pass user provided params directly to send_file(), ' \
+              'verify the path with file.expand_path() first.'
+
+        # @!method params_node?(node)
+        def_node_search :params_node?, <<-PATTERN
+           (send (send nil? :params) ... )
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:send_file)
+          return unless node.arguments.any? { |e| params_node?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/sql_injection.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of where("name = '#{params[:name]}'")
+      #
+      # Passing user input to where() without parameterization can result in SQL Injection
+      #
+      # @example
+      #
+      #   # bad
+      #   u = User.where("name = '#{params[:name]}'")
+      #
+      #   # good (parameters)
+      #   u = User.where("name = ? AND id = ?", params[:name], params[:id])
+      #   u = User.where(name: params[:name], id: params[:id])
+      #
+      class SqlInjection < RuboCop::Cop::Base
+        MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'
+
+        # @!method where_user_input?(node)
+        def_node_matcher :where_user_input?, <<-PATTERN
+          (send _ :where ...)
+        PATTERN
+
+        # @!method string_var_string?(node)
+        def_node_matcher :string_var_string?, <<-PATTERN
+          (dstr (str ...) (begin ...) (str ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless where_user_input?(node)
+          return unless node.arguments.any? { |e| string_var_string?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/system_command_injection.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of system("/bin/ls #{params[:file]}")
+      #
+      # Passing user input to system() without sanitization and parameterization can result in command injection
+      #
+      # @example
+      #
+      #   # bad
+      #   system("/bin/ls #{filename}")
+      #
+      #   # good (parameters)
+      #   system("/bin/ls", filename)
+      #   # even better
+      #   exec("/bin/ls", shell_escape(filename))
+      #
+      class SystemCommandInjection < RuboCop::Cop::Base
+        MSG = 'Do not include variables in the command name for system(). ' \
+              'Use parameters "system(cmd, params)" or exec() instead.'
+
+        # @!method system_var?(node)
+        def_node_matcher :system_var?, <<-PATTERN
+          (dstr (str ...) (begin ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:system)
+          return unless node.arguments.any? { |e| system_var?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/in_batches.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of `in_batches`

data/lib/rubocop/cop/internal_affairs/missing_cop_department.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module InternalAffairs
+      # Enforces the use of explicit department names for cop rules.
+      #
+      # @example
+      #   # bad
+      #   module RuboCop
+      #     module Cop
+      #       class Implicit
+      #       end
+      #     end
+      #   end
+      #
+      #   module RuboCop
+      #     module Cop
+      #       module Cop
+      #         class Explicit
+      #         end
+      #       end
+      #     end
+      #   end
+      #
+      #   # good
+      #   module RuboCop
+      #     module Cop
+      #       module Foo
+      #         class Implicit
+      #         end
+      #       end
+      #     end
+      #   end
+      #
+      #   module RuboCop
+      #     module Cop
+      #       module Foo
+      #         class Explicit
+      #         end
+      #       end
+      #     end
+      #   end
+      class MissingCopDepartment < Base
+        MSG = 'Define a proper department. Using `Cop/` as department is discourged.'
+
+        COP_DEPARTMENT = 'Cop'
+
+        def on_class(node)
+          namespace = full_namespace(node)
+
+          # Skip top-level RuboCop::Cop
+          names = namespace.drop(2)
+
+          add_offense(node.loc.name) if names.size < 2 || names.first == COP_DEPARTMENT
+        end
+
+        private
+
+        def full_namespace(node)
+          (node_namespace(node) + parents_namespace(node)).reverse
+        end
+
+        def node_namespace(node)
+          name_parts(node).reverse
+        end
+
+        def parents_namespace(node)
+          node
+            .each_ancestor(:module, :class)
+            .flat_map { |node| name_parts(node) }
+        end
+
+        def name_parts(node)
+          node.identifier.source.split('::')
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/internal_affairs/use_restrict_on_send.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module InternalAffairs
+      # Flags if `RESTRICT_ON_SEND` constant not defined and method name is
+      # checked programmatically in `on_send` methods.
+      #
+      # @example
+      #   # bad
+      #   def on_send(node)
+      #     return unless method_name(node) == :foo
+      #     return unless node.children[1] == :foo
+      #     return unless METHOD_NAMES.include?(method_name(node))
+      #
+      #     name = node.children[1]
+      #     return unless name == :foo
+      #     name2 = method_name(node)
+      #     return unless name == :foo
+      #
+      #     # more code
+      #   end
+      #
+      #   # good
+      #   RESTRICT_ON_SEND = %i[foo].freeze
+      #
+      #   def on_send(node)
+      #     # more code
+      #   end
+      #
+      #   # ignored - not `on_send`
+      #   def on_def(node)
+      #     return unless method_name(node) == :foo
+      #   end
+      #
+      #   # ignored - `else` branch
+      #   def on_send(node)
+      #     if method_name(node) == :foo
+      #       add_offense(node)
+      #     else
+      #       something_else
+      #     end
+      #   end
+      class UseRestrictOnSend < Base
+        MSG = 'Define constant `RESTRICT_ON_SEND` to speed up calls to `on_send`. ' \
+              'The following line is then no longer necessary:'
+
+        # @!method method_name_plain(node)
+        def_node_matcher :method_name_plain, <<~PATTERN
+          {
+            (send _ :method_name _ ...)       # method_name(node)
+            (send
+              (send _ :children) :[] (int 1)  # node.children[1]
+            )
+          }
+        PATTERN
+
+        # @!method method_name_call(node)
+        def_node_matcher :method_name_call, <<~PATTERN
+          {
+            #method_name_plain
+            (lvar %1)
+          }
+        PATTERN
+
+        # @!method method_name_assignment(node)
+        def_node_search :method_name_assignment, <<~PATTERN
+          (lvasgn $_name #method_name_plain)
+        PATTERN
+
+        # @!method method_name_check(node)
+        def_node_search :method_name_check, <<~PATTERN
+          (if
+            ${
+              (send #method_name_call(%1) {:== :!=} _) # method_name(node) == foo
+              (send _ :include? #method_name_call(%1)) # a.include?(method_name(node))
+            }
+            {!nil? nil? | nil? !nil?}                  # has either `if` or `else` branch - not both
+          )
+        PATTERN
+
+        def on_def(node)
+          return unless node.method?(:on_send)
+          return if @restrict_on_send_set
+
+          local_assignments = method_name_assignment(node).to_set
+
+          method_name_check(node, local_assignments) do |call_node|
+            add_offense(call_node)
+          end
+        end
+
+        def on_casgn(node)
+          @restrict_on_send_set = true if node.name == :RESTRICT_ON_SEND
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/line_break_after_guard_clauses.rb

@@ -56,6 +56,8 @@ module Rubocop
     #
     #   do_something_more
     class LineBreakAfterGuardClauses < RuboCop::Cop::Base
+      extend RuboCop::Cop::AutoCorrector
+
       MSG = 'Add a line break after guard clauses'
 
       # @!method guard_clause_node?(node)
@@ -68,12 +70,8 @@ module Rubocop
         return unless guard_clause?(node)
         return if next_line(node).blank? || clause_last_line?(next_line(node)) || guard_clause?(next_sibling(node))
 
-        add_offense(node)
-      end
-
-      def autocorrect(node)
-        lambda do |corrector|
-          corrector.insert_after(node.loc.expression, "\n")
+        add_offense(node) do |corrector|
+          corrector.insert_after(node, "\n")
         end
       end
 

data/lib/rubocop/cop/line_break_around_conditional_block.rb

@@ -125,7 +125,7 @@ module Rubocop
       end
 
       def in_haml?(node)
-        node.location.expression.source_buffer.name.end_with?('.haml.rb')
+        node.source_range.source_buffer.name.end_with?('.haml.rb')
       end
     end
   end

data/lib/rubocop/cop/migration/update_large_table.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require_relative '../../../gitlab/styles/rubocop/migration_helpers'
 
 module Rubocop

data/lib/rubocop/cop/polymorphic_associations.rb

@@ -1,17 +1,12 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of polymorphic associations
     class PolymorphicAssociations < RuboCop::Cop::Base
-      include Gitlab::Styles::Rubocop::ModelHelpers
-
       MSG = 'Do not use polymorphic associations, use separate tables instead'
 
       def on_send(node)
-        return unless in_model?(node)
         return unless node.children[1] == :belongs_to
 
         node.children.last.each_node(:pair) do |pair|

data/lib/rubocop/cop/rails/include_url_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative '../../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     module Rails

data/lib/rubocop/cop/redirect_with_status.rb

@@ -2,44 +2,58 @@
 
 module Rubocop
   module Cop
-    # Prevents usage of 'redirect_to' in actions 'destroy' without specifying 'status'.
+    # Prevents usage of 'redirect_to' in actions 'destroy' and 'destroy_all'
+    # without specifying 'status'.
+    #
+    # @example
+    #   # bad
+    #
+    #   def destroy
+    #     redirect_to root_path
+    #   end
+    #
+    #   def destroy_all
+    #     redirect_to root_path, alert: 'Oh no!'
+    #   end
+    #
+    #   # good
+    #
+    #   def destroy
+    #     redirect_to root_path, status: 302
+    #   end
+    #
+    #   def destroy_all
+    #     redirect_to root_path, alert: 'Oh no!', status: 302
+    #   end
+    #
+    #   def show
+    #     redirect_to root_path
+    #   end
+    #
     # See https://gitlab.com/gitlab-org/gitlab-ce/issues/31840
     class RedirectWithStatus < RuboCop::Cop::Base
-      MSG = 'Do not use "redirect_to" without "status" in "destroy" action'
+      MSG = 'Do not use "redirect_to" without "status" in "%<name>s" action.'
 
-      def on_def(node)
-        return unless in_controller?(node)
-        return unless destroy?(node) || destroy_all?(node)
+      RESTRICT_ON_SEND = %i[redirect_to].freeze
 
-        node.each_descendant(:send) do |def_node|
-          next unless redirect_to?(def_node)
+      ACTIONS = %i[destroy destroy_all].to_set.freeze
 
-          methods = []
+      # @!method redirect_to_with_status?(node)
+      def_node_matcher :redirect_to_with_status?, <<~PATTERN
+        (send nil? :redirect_to ...
+          (hash <(pair (sym :status) _) ...>)
+        )
+      PATTERN
 
-          def_node.children.last.each_node(:pair) do |pair|
-            methods << pair.children.first.children.first
-          end
+      def on_send(node)
+        return if redirect_to_with_status?(node)
 
-          add_offense(def_node.loc.selector) unless methods.include?(:status)
-        end
-      end
-
-      private
-
-      def in_controller?(node)
-        node.location.expression.source_buffer.name.end_with?('_controller.rb')
-      end
+        node.each_ancestor(:def) do |def_node|
+          next unless ACTIONS.include?(def_node.method_name)
 
-      def destroy?(node)
-        node.children.first == :destroy
-      end
-
-      def destroy_all?(node)
-        node.children.first == :destroy_all
-      end
-
-      def redirect_to?(node)
-        node.children[1] == :redirect_to
+          message = format(MSG, name: def_node.method_name)
+          add_offense(node.loc.selector, message: message)
+        end
       end
     end
   end