platformos-check 0.4.5 → 0.4.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e25de2efbace27cbcb87f0166520a416c0a275dccd641524a3f3ea1b95190779
-  data.tar.gz: d4bc78729da09cb589caa3472e01c4735161d454b697560a894877073d21398e
+  metadata.gz: aebbd738b1045c874460b7f1de2cf2774297f36136fce816521dda29ce371652
+  data.tar.gz: c348e3afc68f2a664fe1ad313d41497ad7c977f8de72f3b82df9dda297926c38
 SHA512:
-  metadata.gz: 5dd2688e9b917dc3af698bcbf135bafc016bbfba8d24c46bd62528315d594322cf186913cbd6319a8d9275f8357a5d2d8067b542bd5fb90828532556464e4237
-  data.tar.gz: b1308c97e7721df699c423e9c1e111fee82e0bd31e79c8b55a1300baf5547fe115c35a9435ed16e5e2c68c825b230a6b710aba225d32f62a1ea3bee47a2204bd
+  metadata.gz: 368d39315a05ab34eff3797012af56775ca9a5ff4d8209ed0c44aa2916f97fe5740afa859bbfbbdf34409aa40967efe4236b2394eafcdecfc313c97f62a4dba7
+  data.tar.gz: f912bda1de7e0be84e887ab2f19cde9072e03468ea52265f910e20ff5a7317b7f7f4e6fe83aef690350f21543ffbd495e01c72eddca5c393acfc5500055d6939

data/CHANGELOG.md

@@ -1,4 +1,14 @@
-v0.4.5 / 2023-12-04
+v0.4.7 / 2023-12-22
+==================
+
+  * Add UnreachableCode check
+
+v0.4.6 / 2023-12-19
+==================
+
+  * Add FormAuthenticityToken check
+
+v0.4.5 / 2023-12-19
 ==================
 
   * Add FormAction check

data/config/default.yml

@@ -50,6 +50,10 @@ UnknownFilter:
   enabled: true
   ignore: []
 
+UnreachableCode:
+  enabled: true
+  ignore: []
+
 UnusedAssign:
   enabled: true
   ignore: []
@@ -91,6 +95,10 @@ FormAction:
   enabled: true
   ignore: []
 
+FormAuthenticityToken:
+  enabled: true
+  ignore: []
+
 HtmlParsingError:
   enabled: true
   ignore: []

data/docs/checks/form_action.md

@@ -45,7 +45,7 @@ There should be no cases where disabling this rule is needed.
 
 ## Version
 
-This check has been introduced in PlatformOS Check 0.45.0.
+This check has been introduced in PlatformOS Check 0.4.5.
 
 ## Resources
 

data/docs/checks/form_authenticity_token.md

@@ -0,0 +1,55 @@
+# Form authenticity token (`FormAuthenticityToken`)
+
+In platformOS all POST/PATCH/PUT/DELETE requests are protected from [CSRF Attacks][csrf-attack] through [authenticity_token][page-csrf]
+Form action defines the endpoint to which browser will make a request after submitting it.
+
+As a general rule you should include hidden input `<input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">` in every form. Missing it will result in session invalidation and any logged in user will be automatically logged out.
+
+## Check Details
+
+This check is aimed at ensuring you have not forgotten to include authenticity_token in a form.
+
+:-1: Examples of **incorrect** code for this check:
+
+```liquid
+<form action="dummy/create">
+</form>
+```
+
+:+1: Examples of **correct** code for this check:
+
+```liquid
+<form action="/dummy/create">
+  <input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">
+</form>
+```
+
+## Check Options
+
+The default configuration for this check is the following:
+
+```yaml
+FormAuthenticityToken:
+  enabled: true
+```
+
+## When Not To Use It
+
+There should be no cases where disabling this rule is needed.
+
+## Version
+
+This check has been introduced in PlatformOS Check 0.4.6.
+
+## Resources
+
+- [Rule Source][codesource]
+- [Documentation Source][docsource]
+- [platformOS Page documentation][page-csrf]
+- [OWASP Cross Site Request Forgery][csrf-attack]
+
+[codesource]: /lib/platformos_check/checks/form_authenticity_token.rb
+[docsource]: /docs/checks/form_authenticity_token.md
+[page-csrf]: https://documentation.platformos.com/developer-guide/pages/pages#post-put-patch-delete-methods-and-cross-site-request-forgery-attacks
+[csrf-attack]: https://owasp.org/www-community/attacks/csrf
+

data/docs/checks/unreachable_code.md

@@ -0,0 +1,66 @@
+# Unreachable code (`UnreachableCode`)
+
+Unreachable code reports code that will never be reached, no matter what.
+
+## Check Details
+
+This check is aimed at ensuring you will not accidentally write code that will never be reached.
+
+:-1: Examples of **incorrect** code for this check:
+
+```liquid
+  assign x = "hello"
+  break
+  log x
+```
+
+```liquid
+  if x
+    log x
+  else
+    break
+    log "Stop"
+  endif
+```
+
+:+1: Examples of **correct** code for this check:
+
+```liquid
+  assign x = "hello"
+  log x
+  break
+```
+
+```liquid
+  if x
+    log x
+  else
+    log "Stop"
+    break
+  endif
+```
+
+## Check Options
+
+The default configuration for this check is the following:
+
+```yaml
+UnreachableCode:
+  enabled: true
+```
+
+## When Not To Use It
+
+There should be no cases where disabling this rule is needed.
+
+## Version
+
+This check has been introduced in PlatformOS Check 0.4.7.
+
+## Resources
+
+- [Rule Source][codesource]
+- [Documentation Source][docsource]
+
+[codesource]: /lib/platformos_check/checks/unreachable_code.rb
+[docsource]: /docs/checks/unreachable_code.md

data/lib/platformos_check/checks/form_authenticity_token.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module PlatformosCheck
+  class FormAuthenticityToken < HtmlCheck
+    severity :error
+    categories :html
+    doc docs_url(__FILE__)
+
+    AUTHENTICITY_TOKEN_VALUE = /\A\s*{{\s*context\.authenticity_token\s*}}\s*\z/
+
+    def on_form(node)
+      authenticity_toke_inputs = node.children.select { |c| c.name == 'input' && c.attributes['name'] == 'authenticity_token' && c.attributes['value']&.match?(AUTHENTICITY_TOKEN_VALUE) }
+      return if authenticity_toke_inputs.size == 1
+      return add_offense('Duplicated authenticity_token inputs', node:) if authenticity_toke_inputs.size > 1
+
+      add_offense('Missing authenticity_token input <input type="hidden" name="authenticity_token" value="{{ context.authenticity_token }}">', node:) do |corrector|
+        corrector.insert_after(node, "\n<input type=\"hidden\" name=\"authenticity_token\" value=\"{{ context.authenticity_token }}\">")
+      end
+    end
+  end
+end

data/lib/platformos_check/checks/unreachable_code.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module PlatformosCheck
+  # Recommends using {% liquid ... %} if 5 or more consecutive {% ... %} are found.
+  class UnreachableCode < LiquidCheck
+    severity :error
+    category :liquid
+    doc docs_url(__FILE__)
+
+    FLOW_COMMAND = %i[break continue return]
+    CONDITION_TYPES = Set.new(%i[condition else_condition])
+    INCLUDE_FLOW_COMMAND = %w[break]
+
+    def on_document(node)
+      @processed_files = {}
+      check_unreachable_code(node.children)
+    end
+
+    protected
+
+    def check_unreachable_code(nodes)
+      nodes = sanitize_children(nodes)
+      nodes.each_cons(2) do |node1, _node2|
+        next unless flow_expression?(node1)
+
+        add_offense("Unreachable code after `#{node1.type_name}`", node: node1)
+      end
+      flow_expression?(nodes.last)
+    end
+
+    def sanitize_children(children)
+      children.reject { |c| c.value.is_a?(String) && c.value.strip == '' }
+    end
+
+    def flow_expression?(node)
+      return false if node.nil?
+      return true if flow_command?(node)
+
+      case node.type_name
+      when :if, :unless
+        check_if(node)
+        false
+      when :for
+        check_for(node)
+        false
+      when :case
+        check_case(node)
+        false
+      when :try_rc, :try
+        check_try(node)
+        false
+      when :block_body
+        node.children.any? { |c| flow_expression?(c) }
+      else
+        false
+      end
+    end
+
+    def check_if(node)
+      node.children.each do |condition|
+        check_unreachable_code(condition.children.detect(&:block_body?).children)
+      end
+    end
+
+    def check_for(node)
+      check_unreachable_code(node.children.detect(&:block_body?).children)
+    end
+
+    def check_case(node)
+      node.children.each do |condition|
+        next unless CONDITION_TYPES.include?(condition.type_name)
+
+        check_unreachable_code(condition.children.detect(&:block_body?).children)
+      end
+    end
+
+    def check_try(node)
+      node.children.each do |block_body|
+        check_unreachable_code(block_body.children)
+      end
+    end
+
+    def flow_command?(node)
+      return true if FLOW_COMMAND.include?(node.type_name)
+
+      return evaluate_include(node.value.template_name_expr) if node.type_name == :include && node.value.template_name_expr.is_a?(String)
+
+      false
+    end
+
+    def evaluate_include(path)
+      return false unless path.is_a?(String)
+
+      @processed_files[path] ||= include_node_contains_flow_command?(@platformos_app.grouped_files[PlatformosCheck::PartialFile][path]&.parse&.root)
+      @processed_files[path]
+    end
+
+    def include_node_contains_flow_command?(root)
+      return false if root.nil?
+
+      root.nodelist.any? do |node|
+        if INCLUDE_FLOW_COMMAND.include?(node.respond_to?(:tag_name) && node.tag_name)
+          true
+        elsif node.respond_to?(:nodelist) && node.nodelist
+          include_node_contains_flow_command?(node)
+        elsif node.respond_to?(:tag_name) && node.tag_name == 'include' && node.template_name_expr.is_a?(String)
+          evaluate_include(node.template_name_expr)
+        else
+          false
+        end
+      end
+    end
+  end
+end

data/lib/platformos_check/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PlatformosCheck
-  VERSION = "0.4.5"
+  VERSION = "0.4.7"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: platformos-check
 version: !ruby/object:Gem::Version
-  version: 0.4.5
+  version: 0.4.7
 platform: ruby
 authors:
 - Piotr Bliszczyk
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2023-12-19 00:00:00.000000000 Z
+date: 2023-12-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: graphql
@@ -118,6 +118,7 @@ files:
 - docs/checks/convert_include_to_render.md
 - docs/checks/deprecated_filter.md
 - docs/checks/form_action.md
+- docs/checks/form_authenticity_token.md
 - docs/checks/html_parsing_error.md
 - docs/checks/img_lazy_loading.md
 - docs/checks/img_width_and_height.md
@@ -133,6 +134,7 @@ files:
 - docs/checks/template_length.md
 - docs/checks/undefined_object.md
 - docs/checks/unknown_filter.md
+- docs/checks/unreachable_code.md
 - docs/checks/unused_assign.md
 - docs/checks/unused_partial.md
 - docs/checks/valid_yaml.md
@@ -161,6 +163,7 @@ files:
 - lib/platformos_check/checks/convert_include_to_render.rb
 - lib/platformos_check/checks/deprecated_filter.rb
 - lib/platformos_check/checks/form_action.rb
+- lib/platformos_check/checks/form_authenticity_token.rb
 - lib/platformos_check/checks/html_parsing_error.rb
 - lib/platformos_check/checks/img_lazy_loading.rb
 - lib/platformos_check/checks/img_width_and_height.rb
@@ -176,6 +179,7 @@ files:
 - lib/platformos_check/checks/template_length.rb
 - lib/platformos_check/checks/undefined_object.rb
 - lib/platformos_check/checks/unknown_filter.rb
+- lib/platformos_check/checks/unreachable_code.rb
 - lib/platformos_check/checks/unused_assign.rb
 - lib/platformos_check/checks/unused_partial.rb
 - lib/platformos_check/checks/valid_yaml.rb