gitlab-styles 9.2.0 → 10.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e3e06ef1557da413f41116af9b5b01733a309e35bcd2717e8d8ec2473470589
-  data.tar.gz: 704feb3fc08d96cde2a0cdadc8dbe5bbdde1bcb3b18a010f6b964462ec0f33aa
+  metadata.gz: be58fa1f46b81e0e8a73c3c85843048680518c23e846bcf54a1df301c53cfa18
+  data.tar.gz: 95f2466fb2ae6f5dcfcfce8b7e9343101588b9627f0c9c061c53beac597126e9
 SHA512:
-  metadata.gz: 1dcbe74347c735155eed09bfd24923dff24013454269d8edc7d5e62c4b35ebf7413958bd3b4cff55192bdc51f01dbdfdf438f853dfab322e20b96f6ed283142c
-  data.tar.gz: 74ce09358878dd2deca30b2af8698eb46f3417b9f041794c00ee5e97bda90719548fb86250ef8718a7969c23361d256e7acf5669abaaaf6d60ed23eb5608e516
+  metadata.gz: cb13dbe44128173fc03b4dddf53cfdfb67a6e8d37ffc6f4c32a4e30c33ead6e686b6023c2cff9fe7fbf95600d518b508fb9b9b68ffbb07dc8686765f65f3f638
+  data.tar.gz: 6a2774df245a7c42725e8989a8683b4953d91f70f059c0ceb41450b1c305b375f4e150ecb9418a56f60833ce166eca335ce94ba3a03fb7cf29575c7b72cbd54f

data/.gitlab-ci.yml

@@ -25,15 +25,27 @@ styles:
     - bundle exec rubocop --debug --parallel
   parallel:
     matrix:
-      - RUBY_VERSION: ['2.7', '3.0']
+      - RUBY_VERSION: ['2.7', '3.0', '3.1', '3.2']
 
 specs:
   stage: test
   script:
+    # Disable simplecov for all Ruby version other than 3.0
+    - if [[ "$RUBY_VERSION" != "3.0" ]]; then export SIMPLECOV=0; fi
     - bundle exec rspec
   parallel:
     matrix:
-      - RUBY_VERSION: ['2.7', '3.0']
+      - RUBY_VERSION: ['2.7', '3.0', '3.1', '3.2']
+  artifacts:
+    name: coverage
+    expire_in: 31d
+    paths:
+      - coverage/index.html
+      - coverage/assets/
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage/coverage.xml
 
 include:
   - project: 'gitlab-org/quality/pipeline-common'

data/.rubocop.yml

@@ -1,12 +1,13 @@
 inherit_from:
+  - .rubocop_todo.yml
   - rubocop-default.yml
 
 require:
   - rubocop/cop/internal_affairs
+  - rubocop-rake
 
 AllCops:
   NewCops: disable # https://gitlab.com/gitlab-org/ruby/gems/gitlab-styles/-/issues/40
-  SuggestExtensions: false # https://gitlab.com/gitlab-org/ruby/gems/gitlab-styles/-/issues/39
 
 InternalAffairs/DeprecateCopHelper:
   Enabled: true

data/.rubocop_todo.yml

@@ -0,0 +1,12 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2023-01-11 12:59:00 UTC using RuboCop version 1.43.0.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+InternalAffairs/InheritDeprecatedCopClass:
+  Exclude:
+    - 'lib/rubocop/cop/gitlab_security/json_serialization.rb'

data/.tests_mapping.yml

@@ -0,0 +1,10 @@
+---
+mapping:
+  - source: 'lib/(.+)\.rb'
+    test: 'spec/%s_spec.rb'
+
+  - source: 'rubocop-.*\.yml'
+    test: 'spec/yml_spec.rb'
+
+  - source: '(spec/.*_spec\.rb)'
+    test: '%s'

data/Gemfile

@@ -6,12 +6,17 @@ source 'https://rubygems.org'
 gemspec
 
 group :development do
-  gem "lefthook", require: false
+  gem 'lefthook', require: false
+  gem 'test_file_finder', '~> 0.1.4'
 end
 
 group :test do
   # Pin these dependencies, otherwise a new rule could break the CI pipelines
-  gem 'rubocop', '1.38.0'
-  gem 'rubocop-rspec', '2.15.0'
-  gem 'rspec-parameterized', '0.5.2', require: false
+  gem 'rubocop', '1.43.0'
+  gem 'rubocop-rspec', '2.18.1'
+  gem 'rspec-parameterized-table_syntax', '1.0.0', require: false
+
+  gem 'simplecov', '~> 0.22.0', require: false
+  gem 'simplecov-html', '~> 0.12.3', require: false
+  gem 'simplecov-cobertura', '~> 2.1.0', require: false
 end

data/gitlab-styles.gemspec

@@ -22,15 +22,15 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'rubocop', '~> 1.38.0'
-  spec.add_dependency 'rubocop-gitlab-security', '~> 0.1.1'
-  spec.add_dependency 'rubocop-graphql', '~> 0.14'
-  spec.add_dependency 'rubocop-performance', '~> 1.14'
-  spec.add_dependency 'rubocop-rails', '~> 2.15'
-  spec.add_dependency 'rubocop-rspec', '~> 2.15'
+  spec.add_dependency 'rubocop', '~> 1.43.0'
+  spec.add_dependency 'rubocop-graphql', '~> 0.18'
+  spec.add_dependency 'rubocop-performance', '~> 1.15'
+  spec.add_dependency 'rubocop-rails', '~> 2.17'
+  spec.add_dependency 'rubocop-rspec', '~> 2.18'
 
   spec.add_development_dependency 'bundler', '~> 2.1'
   spec.add_development_dependency 'gitlab-dangerfiles', '~> 2.11.0'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rake', '~> 13.0'
   spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop-rake', '~> 0.6'
 end

data/lefthook.yml

@@ -10,7 +10,15 @@ pre-push:
       glob: '*.{rb,rake}'
       run: bundle exec rubocop --parallel --force-exclusion {files}
 
-    # Run all tests (warn if there are any missing tools required for tests).
+    # Run only relevant specs.
     rspec:
-      run: bundle exec rspec -f progress
-      glob: '*.rb'
+      files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD
+      run: |
+        tests=$(tff --mapping-file .tests_mapping.yml {files})
+        if [ "$tests" != "" ]; then
+          echo "bundle exec rspec --format progress $tests"
+          bundle exec rspec --format progress $tests
+        else
+          echo "No specs to run."
+          exit 0
+        fi

data/lib/gitlab/styles/version.rb

@@ -2,6 +2,6 @@
 
 module Gitlab
   module Styles
-    VERSION = '9.2.0'
+    VERSION = '10.0.0'
   end
 end

data/lib/rubocop/cop/active_record_dependent.rb

@@ -1,13 +1,9 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of `dependent: ...` in ActiveRecord models.
     class ActiveRecordDependent < RuboCop::Cop::Base
-      include Gitlab::Styles::Rubocop::ModelHelpers
-
       MSG = 'Do not use `dependent:` to remove associated data, ' \
             'use foreign keys with cascading deletes instead.'
 
@@ -15,7 +11,6 @@ module Rubocop
       ALLOWED_OPTIONS = [:restrict_with_error].freeze
 
       def on_send(node)
-        return unless in_model?(node)
         return unless METHOD_NAMES.include?(node.children[1])
 
         node.children.last.each_node(:pair) do |pair|

data/lib/rubocop/cop/active_record_serialize.rb

@@ -1,18 +1,12 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of `serialize` in ActiveRecord models.
     class ActiveRecordSerialize < RuboCop::Cop::Base
-      include Gitlab::Styles::Rubocop::ModelHelpers
-
       MSG = 'Do not store serialized data in the database, use separate columns and/or tables instead'
 
       def on_send(node)
-        return unless in_model?(node)
-
         add_offense(node.loc.selector) if node.children[1] == :serialize
       end
     end

data/lib/rubocop/cop/avoid_return_from_blocks.rb

@@ -23,7 +23,7 @@ module Rubocop
     class AvoidReturnFromBlocks < RuboCop::Cop::Base
       MSG = 'Do not return from a block, use next or break instead.'
       DEF_METHODS = %i[define_method lambda].freeze
-      WHITELISTED_METHODS = %i[each each_filename times loop].freeze
+      ALLOWED_METHODS = %i[each each_filename times loop].freeze
 
       def on_block(node)
         block_body = node.body
@@ -32,7 +32,7 @@ module Rubocop
         return unless top_block?(node)
 
         block_body.each_node(:return) do |return_node|
-          next if parent_blocks(node, return_node).all? { |block| whitelisted?(block) }
+          next if parent_blocks(node, return_node).all? { |block| allowed?(block) }
 
           add_offense(return_node)
         end
@@ -71,8 +71,8 @@ module Rubocop
           (node.block_type? && DEF_METHODS.include?(node.method_name))
       end
 
-      def whitelisted?(block_node)
-        WHITELISTED_METHODS.include?(block_node.method_name)
+      def allowed?(block_node)
+        ALLOWED_METHODS.include?(block_node.method_name)
       end
     end
   end

data/lib/rubocop/cop/gem_fetcher.rb

@@ -14,7 +14,7 @@ module Rubocop
 
       # @!method gem_option(node)
       def_node_matcher :gem_option, <<~PATTERN
-        (send nil? :gem _
+        (send nil? :gem _ ...
           (hash
             <$(pair (sym {#{GIT_SOURCES.map(&:inspect).join(' ')}}) _)
             ...>

data/lib/rubocop/cop/gitlab_security/deep_munge.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for disabling the deep munge security control.
+      #
+      # Disabling this security setting can leave the application open to unsafe
+      # query generation
+      #
+      # @example
+      #
+      #   # bad
+      #   config.action_dispatch.perform_deep_munge = false
+      #
+      # See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
+      class DeepMunge < RuboCop::Cop::Base
+        MSG = 'Never disable the deep munge security option.'
+
+        # @!method disable_deep_munge?(node)
+        def_node_matcher :disable_deep_munge?, <<-PATTERN
+          (send
+            (send (send nil? :config) :action_dispatch) :perform_deep_munge=
+              { (false) (send true :!) }
+          )
+        PATTERN
+
+        def on_send(node)
+          return unless disable_deep_munge?(node)
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/json_serialization.rb

@@ -0,0 +1,133 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for `to_json` / `as_json` without allowing via `only`.
+      #
+      # Either method called on an instance of a `Serializer` class will be
+      # ignored. Associations included via `include` are subject to the same
+      # rules.
+      #
+      # @example
+      #
+      #   # bad
+      #   render json: @user.to_json
+      #   render json: @user.to_json(except: %i[password])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: [:identities]
+      #   )
+      #
+      #   # acceptable
+      #   render json: UserSerializer.new.to_json
+      #
+      #   # good
+      #   render json: @user.to_json(only: %i[name username])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: { identities: { only: %i[provider] } }
+      #   )
+      #
+      # See https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
+      class JsonSerialization < RuboCop::Cop::Cop
+        MSG = "Don't use `%s` without specifying `only`"
+
+        # Check for `to_json` sent to any object that's not a Hash literal or
+        # Serializer instance
+        # @!method json_serialization?(node)
+        def_node_matcher :json_serialization?, <<~PATTERN
+          (send !{nil? hash #serializer?} ${:to_json :as_json} $...)
+        PATTERN
+
+        # Check if node is a `only: ...` pair
+        # @!method only_pair?(node)
+        def_node_matcher :only_pair?, <<~PATTERN
+          (pair (sym :only) ...)
+        PATTERN
+
+        # Check if node is a `include: {...}` pair
+        # @!method include_pair?(node)
+        def_node_matcher :include_pair?, <<~PATTERN
+          (pair (sym :include) (hash $...))
+        PATTERN
+
+        # Check for a `only: [...]` pair anywhere in the node
+        # @!method contains_only?(node)
+        def_node_search :contains_only?, <<~PATTERN
+          (pair (sym :only) (array ...))
+        PATTERN
+
+        # Check for `SomeConstant.new`
+        # @!method constant_init(node)
+        def_node_search :constant_init, <<~PATTERN
+          (send (const nil? $_) :new ...)
+        PATTERN
+
+        def on_send(node)
+          matched = json_serialization?(node)
+          return unless matched
+
+          @_has_top_level_only = false
+          @method = matched.first
+
+          if matched.last.nil? || matched.last.empty?
+            # Empty `to_json` call
+            add_offense(node, location: :selector, message: format_message)
+          else
+            check_arguments(node, matched)
+          end
+        end
+
+        private
+
+        def format_message
+          format(MSG, @method)
+        end
+
+        def serializer?(node)
+          constant_init(node).any? { |name| name.to_s.end_with?('Serializer') }
+        end
+
+        def check_arguments(node, matched)
+          options = matched.last.first
+
+          # If `to_json` was given an argument that isn't a Hash, we don't
+          # know what to do here, so just move along
+          return unless options.hash_type?
+
+          options.each_child_node do |child_node|
+            check_pair(child_node)
+          end
+
+          return unless requires_only?
+
+          # Add a top-level offense for the entire argument list, but only if
+          # we haven't yet added any offenses to the child Hash values (such
+          # as `include`)
+          add_offense(node.children.last, message: format_message)
+        end
+
+        def check_pair(pair)
+          if only_pair?(pair)
+            @_has_top_level_only = true
+          elsif include_pair?(pair)
+            includes = pair.value
+
+            includes.each_child_node do |child_node|
+              next if contains_only?(child_node)
+
+              add_offense(child_node, message: format_message)
+            end
+          end
+        end
+
+        def requires_only?
+          return false if @_has_top_level_only
+
+          offenses.count.zero?
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/public_send.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for the use of `public_send`, `send`, and `__send__` methods.
+      #
+      # If passed untrusted input these methods can be used to execute arbitrary
+      # methods on behalf of an attacker.
+      #
+      # @example
+      #
+      #   # bad
+      #   myobj.public_send("#{params[:foo]}")
+      #
+      #   # good
+      #   case params[:foo].to_s
+      #   when 'choice1'
+      #     items.choice1
+      #   when 'choice2'
+      #     items.choice2
+      #   when 'choice3'
+      #     items.choice3
+      #   end
+      class PublicSend < RuboCop::Cop::Base
+        MSG = 'Avoid using `%s`.'
+
+        RESTRICT_ON_SEND = %i[send public_send __send__].freeze
+
+        # @!method send?(node)
+        def_node_matcher :send?, <<-PATTERN
+          ({csend | send} _ ${:send :public_send :__send__} ...)
+        PATTERN
+
+        def on_send(node)
+          send?(node) do |match|
+            next unless node.arguments?
+
+            add_offense(node.loc.selector, message: format(MSG, match))
+          end
+        end
+
+        alias_method :on_csend, :on_send
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of redirect_to(params.update())
+      #
+      # Passing user params to the redirect_to method provides an open redirect
+      #
+      # @example
+      #
+      #   # bad
+      #   redirect_to(params.update(action: 'main'))
+      #
+      #   # good
+      #   redirect_to(allowed(params))
+      #
+      class RedirectToParamsUpdate < RuboCop::Cop::Base
+        MSG = 'Avoid using `redirect_to(params.%<name>s(...))`. ' \
+              'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'
+
+        # @!method redirect_to_params_update_node(node)
+        def_node_matcher :redirect_to_params_update_node, <<-PATTERN
+           (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
+        PATTERN
+
+        def on_send(node)
+          selected, name = redirect_to_params_update_node(node)
+          return unless name
+
+          message = format(MSG, name: name)
+
+          add_offense(selected, message: message)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/send_file_params.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of send_file(..., params[], ...)
+      #
+      # Passing user params to the send_file() method allows directory traversal
+      #
+      # @example
+      #
+      #   # bad
+      #   send_file("/tmp/myproj/" + params[:filename])
+      #
+      #   # good (verify directory)
+
+      #   basename = File.expand_path("/tmp/myproj")
+      #   filename = File.expand_path(File.join(basename, @file.public_filename))
+      #   raise if basename != filename
+      #   send_file filename, disposition: 'inline'
+      #
+      class SendFileParams < RuboCop::Cop::Base
+        MSG = 'Do not pass user provided params directly to send_file(), ' \
+              'verify the path with file.expand_path() first.'
+
+        # @!method params_node?(node)
+        def_node_search :params_node?, <<-PATTERN
+           (send (send nil? :params) ... )
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:send_file)
+          return unless node.arguments.any? { |e| params_node?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/sql_injection.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of where("name = '#{params[:name]}'")
+      #
+      # Passing user input to where() without parameterization can result in SQL Injection
+      #
+      # @example
+      #
+      #   # bad
+      #   u = User.where("name = '#{params[:name]}'")
+      #
+      #   # good (parameters)
+      #   u = User.where("name = ? AND id = ?", params[:name], params[:id])
+      #   u = User.where(name: params[:name], id: params[:id])
+      #
+      class SqlInjection < RuboCop::Cop::Base
+        MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'
+
+        # @!method where_user_input?(node)
+        def_node_matcher :where_user_input?, <<-PATTERN
+          (send _ :where ...)
+        PATTERN
+
+        # @!method string_var_string?(node)
+        def_node_matcher :string_var_string?, <<-PATTERN
+          (dstr (str ...) (begin ...) (str ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless where_user_input?(node)
+          return unless node.arguments.any? { |e| string_var_string?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/system_command_injection.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of system("/bin/ls #{params[:file]}")
+      #
+      # Passing user input to system() without sanitization and parameterization can result in command injection
+      #
+      # @example
+      #
+      #   # bad
+      #   system("/bin/ls #{filename}")
+      #
+      #   # good (parameters)
+      #   system("/bin/ls", filename)
+      #   # even better
+      #   exec("/bin/ls", shell_escape(filename))
+      #
+      class SystemCommandInjection < RuboCop::Cop::Base
+        MSG = 'Do not include variables in the command name for system(). ' \
+              'Use parameters "system(cmd, params)" or exec() instead.'
+
+        # @!method system_var?(node)
+        def_node_matcher :system_var?, <<-PATTERN
+          (dstr (str ...) (begin ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:system)
+          return unless node.arguments.any? { |e| system_var?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/in_batches.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of `in_batches`

data/lib/rubocop/cop/line_break_after_guard_clauses.rb

@@ -56,6 +56,8 @@ module Rubocop
     #
     #   do_something_more
     class LineBreakAfterGuardClauses < RuboCop::Cop::Base
+      extend RuboCop::Cop::AutoCorrector
+
       MSG = 'Add a line break after guard clauses'
 
       # @!method guard_clause_node?(node)
@@ -68,11 +70,7 @@ module Rubocop
         return unless guard_clause?(node)
         return if next_line(node).blank? || clause_last_line?(next_line(node)) || guard_clause?(next_sibling(node))
 
-        add_offense(node)
-      end
-
-      def autocorrect(node)
-        lambda do |corrector|
+        add_offense(node) do |corrector|
           corrector.insert_after(node.loc.expression, "\n")
         end
       end

data/lib/rubocop/cop/migration/update_large_table.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require_relative '../../../gitlab/styles/rubocop/migration_helpers'
 
 module Rubocop

data/lib/rubocop/cop/polymorphic_associations.rb

@@ -1,17 +1,12 @@
 # frozen_string_literal: true
 
-require_relative '../../gitlab/styles/rubocop/model_helpers'
-
 module Rubocop
   module Cop
     # Cop that prevents the use of polymorphic associations
     class PolymorphicAssociations < RuboCop::Cop::Base
-      include Gitlab::Styles::Rubocop::ModelHelpers
-
       MSG = 'Do not use polymorphic associations, use separate tables instead'
 
       def on_send(node)
-        return unless in_model?(node)
         return unless node.children[1] == :belongs_to
 
         node.children.last.each_node(:pair) do |pair|