rubocop-airbnb 1.0.0

data/lib/rubocop/cop/airbnb/factory_class_use_string.rb

@@ -0,0 +1,39 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # Cop to tell developers to use :class => "MyClass" instead of :class => MyClass,
+      # because the latter slows down reloading zeus.
+      class FactoryClassUseString < Cop
+        MSG = 'Instead of :class => MyClass, use :class => "MyClass". ' \
+          "This enables faster spec startup time and faster Zeus reload time.".freeze
+
+        def on_send(node)
+          return unless node.command?(:factory)
+
+          class_pair = class_node(node)
+
+          if class_pair && !string_class_name?(class_pair)
+            add_offense(class_pair)
+          end
+        end
+
+        private
+
+        # Return the descendant node that is a hash pair (:key => value) whose key
+        # is :class.
+        def class_node(node)
+          node.descendants.detect do |e|
+            e.is_a?(Parser::AST::Node) &&
+              e.pair_type? &&
+              e.children[0].children[0] == :class
+          end
+        end
+
+        # Given a hash pair :class_name => value, is the value a hardcoded string?
+        def string_class_name?(class_pair)
+          class_pair.children[1].str_type?
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/mass_assignment_accessible_modifier.rb

@@ -0,0 +1,18 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # Modifying Mass assignment restrictions eliminates the entire point of disabling
+      # mass assignment. It's a lazy, potentially dangerous approach that should be discouraged.
+      class MassAssignmentAccessibleModifier < Cop
+        MSG = 'Do no override and objects mass assignment restrictions.'.freeze
+
+        def on_send(node)
+          _receiver, method_name, *_args = *node
+
+          return unless method_name == :accessible=
+          add_offense(node, message: MSG)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/module_method_in_wrong_file.rb

@@ -0,0 +1,104 @@
+require_relative '../../airbnb/inflections'
+require_relative '../../airbnb/rails_autoloading'
+
+module RuboCop
+  module Cop
+    module Airbnb
+      # This cop checks for methods defined in a module declaration, in a file that doesn't
+      # match the module name. The Rails autoloader can't find such a method, but sometimes
+      # people "get lucky" if the file happened to be loaded before the method was defined.
+      #
+      # @example
+      #   # bad
+      #
+      #   # foo/bar.rb
+      #   module Foo
+      #     class Bar
+      #     end
+      #
+      #     def baz
+      #       42
+      #     end
+      #   end
+      #
+      #   # good
+      #
+      #   # foo/bar.rb
+      #   module Foo
+      #     class Bar
+      #     end
+      #   end
+      #
+      #   # foo.rb
+      #   module Foo
+      #     def baz
+      #       42
+      #     end
+      #   end
+      #
+      # Note that autoloading works fine if classes are defined in the file that defines
+      # the module. This is common usage for things like error classes, so we'll allow it:
+      #
+      # @example
+      #   # good
+      #
+      #   # foo.rb
+      #   module Foo
+      #     class Bar < StandardError
+      #       def baz
+      #       end
+      #     end
+      #   end
+      #
+      #   # good
+      #
+      #   # foo.rb
+      #   class Foo
+      #     class Bar # nested class
+      #       def baz
+      #       end
+      #     end
+      #   end
+      class ModuleMethodInWrongFile < Cop
+        include Inflections
+        include RailsAutoloading
+
+        MSG_TEMPLATE =
+          "In order for Rails autoloading to be able to find and load this file when " \
+          "someone calls this method, move the method definition to a file that defines " \
+          "the module. This file just uses the module as a namespace for another class " \
+          "or module. Method %s should be defined in %s.".freeze
+
+        def on_def(node)
+          method_name, args, body = *node
+          on_method_def(node, method_name, args, body)
+        end
+
+        alias on_defs on_def
+
+        private
+
+        def on_method_def(node, method_name, args, body)
+          path = node.source_range.source_buffer.name
+          return unless run_rails_autoloading_cops?(path)
+          return unless node.parent_module_name
+          # "#<Class:>" is the parent module name of a method being defined in an if/unless.
+          return if node.parent_module_name == "#<Class:>"
+
+          expected_dir = underscore(normalize_module_name(node.parent_module_name))
+          allowable_filenames = expected_dir.split("/").map { |file| "#{file}.rb" }
+          basename = File.basename(path)
+          if !allowable_filenames.include?(basename)
+            parent_module_names = split_modules(node.parent_module_name)
+            expected_parent_module_file =
+              "#{parent_module_names.map { |name| underscore(name) }.join("/")}.rb"
+            add_offense(
+              node,
+              message: MSG_TEMPLATE % [method_name, expected_parent_module_file]
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/no_timeout.rb

@@ -0,0 +1,19 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      class NoTimeout < Cop
+        MSG =
+          'Do not use Timeout.timeout. In combination with Rails autoloading, ' \
+          'timeout can cause Segmentation Faults in version of Ruby we use. ' \
+          'It can also cause logic errors since it can raise in ' \
+          'any callee scope. Use client library timeouts and monitoring to ' \
+          'ensure proper timing behavior for web requests.'.freeze
+
+        def on_send(node)
+          return unless node.source.start_with?('Timeout.timeout')
+          add_offense(node, message: MSG)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/opt_arg_parameters.rb

@@ -0,0 +1,38 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # Cop to enforce use of options hash over default arguments
+      # https://github.com/airbnb/ruby#no-default-args
+      class OptArgParameters < Cop
+        MSG =
+          'Do not use default positional arguments. '\
+          'Use keyword arguments or an options hash instead.'.freeze
+
+        def on_args(node)
+          *but_last, last_arg = *node
+
+          if last_arg && last_arg.blockarg_type?
+            last_arg = but_last.pop
+          end
+
+          but_last.each do |arg|
+            next unless arg.optarg_type?
+            add_offense(arg, message: MSG)
+          end
+          return if last_arg.nil?
+
+          return unless last_arg.optarg_type?
+
+          _arg_name, default_value = *last_arg
+          if default_value.hash_type?
+            # asserting default value is empty hash
+            *key_value_pairs = *default_value
+            return if key_value_pairs.empty?
+          end
+
+          add_offense(last_arg, message: MSG)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/phrase_bundle_keys.rb

@@ -0,0 +1,67 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # Prefer matching Phrase Bundle and t call keys inside of
+      # PhraseBundleClasses.
+      #
+      # @example
+      #   # bad
+      #   def phrases
+      #     {
+      #       "shortened_key" => t(
+      #         "my_real_translation_key",
+      #         default: 'Does not matter',
+      #       ),
+      #     }
+      #   end
+      #
+      #   # good
+      #   def phrases
+      #     {
+      #       "my_real_translation_key" => t(
+      #         "my_real_translation_key",
+      #         default: 'Does not matter',
+      #       ),
+      #     }
+      #   end
+      class PhraseBundleKeys < Cop
+        MESSAGE =
+          'Phrase bundle keys should match their translation keys.'.freeze
+
+        def on_send(node)
+          parent = node.parent
+          if t_call?(node) && in_phrase_bundle_class?(node) && parent.pair_type?
+            hash_key = parent.children[0]
+            unless hash_key.children[0] == node.children[2].children[0]
+              add_offense(hash_key, message: MESSAGE)
+            end
+          end
+        end
+
+        private
+
+        def in_phrase_bundle_class?(node)
+          if node.class_type? && !const_phrase_bundle_children(node).empty?
+            true
+          elsif node.parent
+            in_phrase_bundle_class?(node.parent)
+          else
+            false
+          end
+        end
+
+        def const_phrase_bundle_children(node)
+          node.children.select do |e|
+            e.is_a?(Parser::AST::Node) &&
+              e.const_type? &&
+              e.children[1] == :PhraseBundle
+          end
+        end
+
+        def t_call?(node)
+          node.children[1] == :t
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/risky_activerecord_invocation.rb

@@ -0,0 +1,63 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # Disallow ActiveRecord calls that pass interpolated or added strings as an argument.
+      class RiskyActiverecordInvocation < Cop
+        VULNERABLE_AR_METHODS = [
+          :delete_all,
+          :destroy_all,
+          :exists?,
+          :execute,
+          :find_by_sql,
+          :group,
+          :having,
+          :insert,
+          :order,
+          :pluck,
+          :reorder,
+          :select,
+          :select_rows,
+          :select_values,
+          :select_all,
+          :update_all,
+          :where,
+        ].freeze
+        MSG = 'Passing a string computed by interpolation or addition to an ActiveRecord ' \
+              'method is likely to lead to SQL injection. Use hash or parameterized syntax. For ' \
+              'more information, see ' \
+              'http://guides.rubyonrails.org/security.html#sql-injection-countermeasures and ' \
+              'https://rails-sqli.org/rails3. If you have confirmed with Security that this is a ' \
+              'safe usage of this style, disable this alert with ' \
+              '`# rubocop:disable Airbnb/RiskyActiverecordInvocation`.'.freeze
+        def on_send(node)
+          receiver, method_name, *_args = *node
+
+          return if receiver.nil?
+          return unless vulnerable_ar_method?(method_name)
+          if !includes_interpolation?(_args) && !includes_sum?(_args)
+            return
+          end
+
+          add_offense(node)
+        end
+
+        def vulnerable_ar_method?(method)
+          VULNERABLE_AR_METHODS.include?(method)
+        end
+
+        # Return true if the first arg is a :dstr that has non-:str components
+        def includes_interpolation?(args)
+          !args.first.nil? &&
+            args.first.type == :dstr &&
+            args.first.each_child_node.any? { |child| child.type != :str }
+        end
+
+        def includes_sum?(args)
+          !args.first.nil? &&
+            args.first.type == :send &&
+            args.first.method_name == :+
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/rspec_describe_or_context_under_namespace.rb

@@ -0,0 +1,114 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # This cop checks for Rspec describe or context method calls under a namespace.
+      # It can potentially cause autoloading to occur in a different order than it
+      # would have in development or production. This could cause flaky tests.
+      #
+      # @example
+      #   # bad
+      #
+      #   # spec/foo/bar_spec.rb
+      #   module Foo
+      #     describe Bar do
+      #     end
+      #   end
+      #
+      #   # good
+      #
+      #   # spec/foo/bar_spec.rb do
+      #
+      #   describe Foo::Bar
+      #   end
+      class RspecDescribeOrContextUnderNamespace < Cop
+        DESCRIBE_OR_CONTEXT_UNDER_NAMESPACE_MSG =
+          'Declaring a `module` in a spec can break autoloading because subsequent references ' \
+          'to it will not cause it to be loaded from the app. This could cause flaky tests.'.freeze
+
+        FIX_DESCRIBE_OR_CONTEXT_HELP_MSG =
+          'Change `%{describe} %{klass} do` to `%{describe} %{module_name}::%{klass} do`.'.freeze
+
+        FIX_CODE_HELP_MSG =
+          'Remove `module %{module_name}` and fix `%{module_name}::CONST` and ' \
+          '`%{module_name}.method` calls accordingly.'.freeze
+
+        def_node_matcher :describe_or_context?,
+                         '(send {(const nil? :RSpec) nil?} {:describe :context} ...)'.freeze
+
+        def on_module(node)
+          path = node.source_range.source_buffer.name
+          return unless is_spec_file?(path)
+
+          matched_node = search_children_for_describe_or_context(node.children)
+          return unless matched_node
+
+          method_name = matched_node.method_name
+          module_name = get_module_name(node)
+          message = [DESCRIBE_OR_CONTEXT_UNDER_NAMESPACE_MSG]
+
+          described_class = get_described_class(matched_node)
+          method_parent = get_method_parent(matched_node)
+          parent_dot_method = method_parent ? "#{method_parent}.#{method_name}" : method_name
+          if described_class
+            message << FIX_DESCRIBE_OR_CONTEXT_HELP_MSG % {
+              describe: parent_dot_method,
+              klass: described_class,
+              module_name: module_name,
+            }
+          end
+
+          message << FIX_CODE_HELP_MSG % { module_name: module_name }
+          add_offense(node, message: message.join(' '))
+        end
+
+        def search_children_for_describe_or_context(nodes)
+          blocks = []
+          # match nodes for send describe or context
+          nodes.detect do |node|
+            next unless node
+
+            if is_block?(node)
+              blocks << node
+              next
+            end
+            return node if describe_or_context?(node)
+          end
+
+          # Process child nodes of block
+          blocks.each do |node|
+            matched_node = search_children_for_describe_or_context(node.children)
+            return matched_node if matched_node
+          end
+
+          nil
+        end
+
+        def is_spec_file?(path)
+          path.end_with?('_spec.rb')
+        end
+
+        def get_module_name(node)
+          const_node = node.children[0]
+          return unless const_node
+          const_node.const_name
+        end
+
+        def get_described_class(node)
+          const_node = node.children[2]
+          return unless const_node
+          const_node.const_name
+        end
+
+        def get_method_parent(node)
+          const_node = node.children[0]
+          return unless const_node
+          const_node.const_name
+        end
+
+        def is_block?(node)
+          node && [:block, :begin].include?(node.type)
+        end
+      end
+    end
+  end
+end