platformos-check 0.4.4 → 0.4.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2232ebaad35fcbe180ef2bf7430a1f1b14a8a292e9e83162cab6f4daa2627e77
-  data.tar.gz: 664d5f186a9a9af5db288b287d05cacc1134b7533c63c11255e635481d7315e7
+  metadata.gz: 737ae774f598b10b46e556298d68e7eafe711c00ef6463c30ba8f8736c6cf42a
+  data.tar.gz: 443998e3955d4032ab41b2d5189ff42f5a736781b05cf0bdfa2a8dfe1b4fe629
 SHA512:
-  metadata.gz: 8dc44ad6b4b964108030b675ee46d883c75c4d3e8ef7262617dc2897eb7a53bf858d64b0e3ffb2ddc50a1f762bf9fbe6371c630d9a64c5358a5152e0a52e7901
-  data.tar.gz: 6c86d9c6e458117f9f25c0563fbe33d7f3792f5b9129671f8e30fe539b0d02cd9faedd77491c091e5c608d1e296a0bb9bc86c236b10f2cc10aa7711ac22f2f1f
+  metadata.gz: 5049fd3616a7721b1d23920c87436ed19a525d96454ef18a93cb22ba210e733a5984c154f3a79778f047769fa059052fc65b3ca56cc02d70e4ee5e108c568b29
+  data.tar.gz: c7dcafbce9b30fc5fd2b954a080e4f167f24c7fcfbc8ea48b6131b54eb33eb71657f45068075c1ea2f9f6520682a33f94eb207e0a68341e10f9abcda4939b8db

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+v0.4.6 / 2023-12-19
+==================
+
+  * Add FormAuthenticityToken check
+
+v0.4.5 / 2023-12-19
+==================
+
+  * Add FormAction check
+
 v0.4.4 / 2023-12-04
 ==================
 

data/config/default.yml

@@ -87,6 +87,14 @@ ImgLazyLoading:
   enabled: true
   ignore: []
 
+FormAction:
+  enabled: true
+  ignore: []
+
+FormAuthenticityToken:
+  enabled: true
+  ignore: []
+
 HtmlParsingError:
   enabled: true
   ignore: []

data/data/platformos_liquid/documentation/latest.json

@@ -1,2 +1,2 @@
 
-{"revision":"008ef526d0cf8a5c42eb2c05938d91543996edf8"}
+{"revision":"131bcc176b04bbd3cd19a57ac57395a74b949760"}

data/docs/checks/form_action.md

@@ -0,0 +1,56 @@
+# Form action (`FormAction`)
+
+Form action defines the endpoint to which browser will make a request after submitting it.
+
+As a general rule you should use relative path like `action="/my/path"` instead of for example `action="my/path"` to avoid errors.
+
+## Check Details
+
+This check is aimed at ensuring you have not forgotten to start the path with /.
+
+:-1: Examples of **incorrect** code for this check:
+
+```liquid
+<form action="dummy/create">
+ ...
+</form>
+```
+
+:+1: Examples of **correct** code for this check:
+
+```liquid
+<form action="/dummy/create">
+ ...
+</form>
+```
+
+```liquid
+<form action="{{ var }}">
+ ...
+</form>
+```
+
+## Check Options
+
+The default configuration for this check is the following:
+
+```yaml
+FormAction:
+  enabled: true
+```
+
+## When Not To Use It
+
+There should be no cases where disabling this rule is needed.
+
+## Version
+
+This check has been introduced in PlatformOS Check 0.45.0.
+
+## Resources
+
+- [Rule Source][codesource]
+- [Documentation Source][docsource]
+
+[codesource]: /lib/platformos_check/checks/form_action.rb
+[docsource]: /docs/checks/form_action.md

data/docs/checks/form_authenticity_token.md

@@ -0,0 +1,55 @@
+# Form authenticity token (`FormAuthenticityToken`)
+
+In platformOS all POST/PATCH/PUT/DELETE requests are protected from [CSRF Attacks][csrf-attack] through [authenticity_token][page-csrf]
+Form action defines the endpoint to which browser will make a request after submitting it.
+
+As a general rule you should include hidden input `<input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">` in every form. Missing it will result in session invalidation and any logged in user will be automatically logged out.
+
+## Check Details
+
+This check is aimed at ensuring you have not forgotten to include authenticity_token in a form.
+
+:-1: Examples of **incorrect** code for this check:
+
+```liquid
+<form action="dummy/create">
+</form>
+```
+
+:+1: Examples of **correct** code for this check:
+
+```liquid
+<form action="/dummy/create">
+  <input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">
+</form>
+```
+
+## Check Options
+
+The default configuration for this check is the following:
+
+```yaml
+FormAuthenticityToken:
+  enabled: true
+```
+
+## When Not To Use It
+
+There should be no cases where disabling this rule is needed.
+
+## Version
+
+This check has been introduced in PlatformOS Check 0.46.0.
+
+## Resources
+
+- [Rule Source][codesource]
+- [Documentation Source][docsource]
+- [platformOS Page documentation][page-csrf]
+- [OWASP Cross Site Request Forgery][csrf-attack]
+
+[codesource]: /lib/platformos_check/checks/form_authenticity_token.rb
+[docsource]: /docs/checks/form_authenticity_token.md
+[page-csrf]: https://documentation.platformos.com/developer-guide/pages/pages#post-put-patch-delete-methods-and-cross-site-request-forgery-attacks
+[csrf-attack]: https://owasp.org/www-community/attacks/csrf
+

data/lib/platformos_check/checks/form_action.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module PlatformosCheck
+  class FormAction < HtmlCheck
+    severity :error
+    categories :html
+    doc docs_url(__FILE__)
+
+    def on_form(node)
+      action = node.attributes["action"]&.strip
+      return if action.nil?
+      return if action.empty?
+      return if action.start_with?('/', '{{')
+
+      add_offense("Use action=\"/#{action}\" (start with /) to ensure the form can be submitted multiple times in case of validation errors", node:)
+    end
+  end
+end

data/lib/platformos_check/checks/form_authenticity_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module PlatformosCheck
+  class FormAuthenticityToken < HtmlCheck
+    severity :error
+    categories :html
+    doc docs_url(__FILE__)
+
+    AUTHENTICITY_TOKEN_VALUE = /\A\s*{{\s*context\.authenticity_token\s*}}\s*\z/
+
+    def on_form(node)
+      authenticity_toke_inputs = node.children.select { |c| c.name == 'input' && c.attributes['name'] == 'authenticity_token' && c.attributes['value']&.match?(AUTHENTICITY_TOKEN_VALUE) }
+      return if authenticity_toke_inputs.size == 1
+      return add_offense('Duplicated authenticity_token inputs', node:) if authenticity_toke_inputs.size > 1
+
+      add_offense('Missing authenticity_token input <input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">', node:) do |corrector|
+        corrector.insert_after(node, "\n<input type=\"hidden\" name=\"authenticity_token\" value=\"{{ context.authenticity_token }}\">")
+      end
+    end
+  end
+end

data/lib/platformos_check/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PlatformosCheck
-  VERSION = "0.4.4"
+  VERSION = "0.4.6"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: platformos-check
 version: !ruby/object:Gem::Version
-  version: 0.4.4
+  version: 0.4.6
 platform: ruby
 authors:
 - Piotr Bliszczyk
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-12-04 00:00:00.000000000 Z
+date: 2023-12-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: graphql
@@ -117,6 +117,8 @@ files:
 - docs/checks/TEMPLATE.md.erb
 - docs/checks/convert_include_to_render.md
 - docs/checks/deprecated_filter.md
+- docs/checks/form_action.md
+- docs/checks/form_authenticity_token.md
 - docs/checks/html_parsing_error.md
 - docs/checks/img_lazy_loading.md
 - docs/checks/img_width_and_height.md
@@ -159,6 +161,8 @@ files:
 - lib/platformos_check/checks/TEMPLATE.rb.erb
 - lib/platformos_check/checks/convert_include_to_render.rb
 - lib/platformos_check/checks/deprecated_filter.rb
+- lib/platformos_check/checks/form_action.rb
+- lib/platformos_check/checks/form_authenticity_token.rb
 - lib/platformos_check/checks/html_parsing_error.rb
 - lib/platformos_check/checks/img_lazy_loading.rb
 - lib/platformos_check/checks/img_width_and_height.rb