rubocop-airbnb 1.0.0

data/lib/rubocop/cop/airbnb/rspec_environment_modification.rb

@@ -0,0 +1,58 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # This cop checks how the Rails environment is modified in specs. If an individual method on
+      # Rails.env is modified multiple environment related branchs could be run down. Rather than
+      # modifying a single path or setting Rails.env in a way that could bleed into other specs,
+      # use `stub_env`
+      #
+      # @example
+      #   # bad
+      #
+      #   # spec/foo/bar_spec.rb
+      #   before(:each) do
+      #     allow(Rails.env).to receive(:production).and_return(true)
+      #   end
+      #
+      #   before(:each) do
+      #     expect(Rails.env).to receive(:production).and_return(true)
+      #   end
+      #
+      #   before(:each) do
+      #     Rails.env = :production
+      #   end
+      #
+      #   # good
+      #
+      #   # spec/foo/bar_spec.rb do
+      #   before(:each) do
+      #     stub_env(:production)
+      #   end
+      class RspecEnvironmentModification < Cop
+        def_node_matcher :allow_or_expect_rails_env, <<-PATTERN
+          (send (send nil? {:expect :allow} (send (const nil? :Rails) :env)) :to ...)
+        PATTERN
+
+        def_node_matcher :stub_rails_env, <<-PATTERN
+          (send (send (const nil? :Rails) :env) :stub _)
+        PATTERN
+
+        def_node_matcher :rails_env_assignment, '(send (const nil? :Rails) :env= ...)'
+
+        MESSAGE = "Do not stub or set Rails.env in specs. Use the `stub_env` method instead".freeze
+
+        def on_send(node)
+          path = node.source_range.source_buffer.name
+          return unless is_spec_file?(path)
+          if rails_env_assignment(node) || allow_or_expect_rails_env(node) || stub_rails_env(node)
+            add_offense(node, message: MESSAGE)
+          end
+        end
+
+        def is_spec_file?(path)
+          path.end_with?('_spec.rb')
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/simple_modifier_conditional.rb

@@ -0,0 +1,23 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # Cop to tackle prevent more complicated modifier if/unless statements
+      # https://github.com/airbnb/ruby#only-simple-if-unless
+      class SimpleModifierConditional < Cop
+        MSG = 'Modifier if/unless usage is okay when the body is simple, ' \
+          'the condition is simple, and the whole thing fits on one line. ' \
+          'Otherwise, avoid modifier if/unless.'.freeze
+
+        def_node_matcher :multiple_conditionals?, '(if ({and or :^} ...) ...)'
+
+        def on_if(node)
+          return unless node.modifier_form?
+
+          if multiple_conditionals?(node) || node.multiline?
+            add_offense(node)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/spec_constant_assignment.rb

@@ -0,0 +1,55 @@
+require 'rubocop-rspec'
+
+module RuboCop
+  module Cop
+    module Airbnb
+      # This cop checks for constant assignment inside of specs
+      #
+      # @example
+      #   # bad
+      #   describe Something do
+      #     PAYLOAD = [1, 2, 3]
+      #   end
+      #
+      #   # good
+      #   describe Something do
+      #     let(:payload)  { [1, 2, 3] }
+      #   end
+      #
+      #   # bad
+      #   describe Something do
+      #     MyClass::PAYLOAD = [1, 2, 3]
+      #   end
+      #
+      #   # good
+      #   describe Something do
+      #     before { stub_const('MyClass::PAYLOAD', [1, 2, 3])
+      #   end
+      class SpecConstantAssignment < Cop
+        include RuboCop::RSpec::TopLevelDescribe
+        MESSAGE = "Defining constants inside of specs can cause spurious behavior. " \
+                  "It is almost always preferable to use `let` statements, "\
+                  "anonymous class/module definitions, or stub_const".freeze
+
+        def on_casgn(node)
+          return unless in_spec_file?(node)
+          parent_module_name = node.parent_module_name
+          if node.parent_module_name && parent_module_name != 'Object'
+            return
+          end
+          add_offense(node, message: MESSAGE)
+        end
+
+        private
+
+        def in_spec_file?(node)
+          filename = node.location.expression.source_buffer.name
+
+          # For tests, the input is a string
+          return true if filename == "(string)"
+          filename.include?("/spec/")
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/airbnb/unsafe_yaml_marshal.rb

@@ -0,0 +1,47 @@
+module RuboCop
+  module Cop
+    module Airbnb
+      # Disallow use of YAML/Marshal methods that can trigger RCE on untrusted input
+      class UnsafeYamlMarshal < Cop
+        MSG = 'Using unsafe YAML parsing methods on untrusted input can lead ' \
+              'to remote code execution. Use `safe_load`, `parse`, `parse_file`, or ' \
+              '`parse_stream` instead'.freeze
+
+        def on_send(node)
+          receiver, method_name, *_args = *node
+
+          return if receiver.nil?
+          return unless receiver.const_type?
+
+          check_yaml(node, receiver, method_name, *_args)
+          check_marshal(node, receiver, method_name, *_args)
+        rescue => e
+          puts e
+          puts e.backtrace
+          raise
+        end
+
+        def check_yaml(node, receiver, method_name, *_args)
+          return unless ['YAML', 'Psych'].include?(receiver.const_name)
+          return unless [:load, :load_documents, :load_file, :load_stream].include?(method_name)
+
+          message = "Using `#{receiver.const_name}.#{method_name}` on untrusted input can lead " \
+            "to remote code execution. Use `safe_load`, `parse`, `parse_file`, or " \
+            "`parse_stream` instead"
+
+          add_offense(node, message: message)
+        end
+
+        def check_marshal(node, receiver, method_name, *_args)
+          return unless receiver.const_name == 'Marshal'
+          return unless method_name == :load
+
+          message = 'Using `Marshal.load` on untrusted input can lead to remote code execution. ' \
+            'Restructure your code to not use Marshal'
+
+          add_offense(node, message: message)
+        end
+      end
+    end
+  end
+end

data/rubocop-airbnb.gemspec

@@ -0,0 +1,32 @@
+
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require 'rubocop/airbnb/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'rubocop-airbnb'
+  spec.summary = 'Custom code style checking for Airbnb.'
+  spec.description = <<-EOF
+    A plugin for RuboCop code style enforcing & linting tool. It includes Rubocop configuration
+    used at Airbnb and a few custom rules that have cause internal issues at Airbnb but are not
+    supported by core Rubocop.
+  EOF
+  spec.authors = ['Airbnb Engineering']
+  spec.email = ['rubocop@airbnb.com']
+  spec.homepage = 'https://github.com/airbnb/ruby'
+  spec.license = 'MIT'
+  spec.version = RuboCop::Airbnb::VERSION
+  spec.platform = Gem::Platform::RUBY
+  spec.required_ruby_version = '>= 2.1'
+
+  spec.require_paths = ['lib']
+  spec.files = Dir[
+    '{config,lib,spec}/**/*',
+    '*.md',
+    '*.gemspec',
+    'Gemfile',
+  ]
+
+  spec.add_dependency('rubocop', '0.52.1')
+  spec.add_dependency('rubocop-rspec', '1.22.1')
+  spec.add_development_dependency('rspec', '~> 3.5')
+end

data/spec/rubocop/cop/airbnb/class_name_spec.rb

@@ -0,0 +1,78 @@
+describe RuboCop::Cop::Airbnb::ClassName do
+  subject(:cop) { described_class.new }
+
+  describe "belongs_to" do
+    it 'rejects with Model.name' do
+      source = [
+        'class Coupon',
+        '  belongs_to :user, :class_name => User.name',
+        'end',
+      ].join("\n")
+      inspect_source(source)
+
+      expect(cop.offenses.size).to eq(1)
+      expect(cop.offenses.map(&:line).sort).to eq([2])
+    end
+
+    it 'passes with "Model"' do
+      source = [
+        'class Coupon',
+        '  belongs_to :user, :class_name => "User"',
+        'end',
+      ].join("\n")
+      inspect_source(source)
+
+      expect(cop.offenses).to be_empty
+    end
+  end
+
+  describe "has_many" do
+    it 'rejects with Model.name' do
+      source = [
+        'class Coupon',
+        '  has_many :reservations, :class_name => Reservation2.name',
+        'end',
+      ].join("\n")
+      inspect_source(source)
+
+      expect(cop.offenses.size).to eq(1)
+      expect(cop.offenses.map(&:line)).to eq([2])
+    end
+
+    it 'passes with "Model"' do
+      source = [
+        'class Coupon',
+        '  has_many :reservations, :class_name => "Reservation2"',
+        'end',
+      ].join("\n")
+      inspect_source(source)
+
+      expect(cop.offenses).to be_empty
+    end
+  end
+
+  describe "has_one" do
+    it 'rejects with Model.name' do
+      source = [
+        'class Coupon',
+        '  has_one :loss, :class_name => Payments::Loss.name',
+        'end',
+      ].join("\n")
+      inspect_source(source)
+
+      expect(cop.offenses.size).to eq(1)
+      expect(cop.offenses.map(&:line)).to eq([2])
+    end
+
+    it 'passes with "Model"' do
+      source = [
+        'class Coupon',
+        '  has_one :loss, :class_name => "Payments::Loss"',
+        'end',
+      ].join("\n")
+      inspect_source(source)
+
+      expect(cop.offenses).to be_empty
+    end
+  end
+end

data/spec/rubocop/cop/airbnb/class_or_module_declared_in_wrong_file_spec.rb

@@ -0,0 +1,174 @@
+describe RuboCop::Cop::Airbnb::ClassOrModuleDeclaredInWrongFile do
+  subject(:cop) { described_class.new(config) }
+
+  let(:config) do
+    RuboCop::Config.new(
+      {
+        "Rails" => {
+          "Enabled" => true,
+        },
+      }
+    )
+  end
+
+  # Put source in a directory under /tmp because this cop cares about the filename
+  # but not the parent dir name.
+  let(:tmpdir) { Dir.mktmpdir }
+  let(:models_dir) do
+    gemfile = File.new("#{tmpdir}/Gemfile", "w")
+    gemfile.close
+    FileUtils.mkdir_p("#{tmpdir}/app/models").first
+  end
+
+  after do
+    FileUtils.rm_rf tmpdir
+  end
+
+  it 'rejects if class declaration is in a file with non-matching name' do
+    source = [
+      'module Foo',
+      '  module Bar',
+      '    class Baz',
+      '    end',
+      '  end',
+      'end',
+    ].join("\n")
+
+    File.open "#{models_dir}/qux.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses.size).to eq(3)
+    expect(cop.offenses.map(&:line).sort).to eq([1, 2, 3])
+    expect(cop.offenses.first.message).to include('Module Foo should be defined in foo.rb.')
+  end
+
+  it 'rejects if class declaration is in a file with matching name but wrong parent dir' do
+    source = [
+      'module Foo',
+      '  module Bar',
+      '    class Baz',
+      '    end',
+      '  end',
+      'end',
+    ].join("\n")
+
+    File.open "#{models_dir}/baz.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses.size).to eq(3)
+    expect(cop.offenses.map(&:line).sort).to eq([1, 2, 3])
+    expect(cop.offenses.last.message).to include('Class Baz should be defined in foo/bar/baz.rb.')
+  end
+
+  it 'accepts if class declaration is in a file with matching name and right parent dir' do
+    source = [
+      'module Foo',
+      '  module Bar',
+      '    class Baz',
+      '    end',
+      '  end',
+      'end',
+    ].join("\n")
+
+    FileUtils.mkdir_p "#{models_dir}/foo/bar"
+    File.open "#{models_dir}/foo/bar/baz.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses).to be_empty
+  end
+
+  it 'rejects if class declaration is in wrong dir and parent module uses ::' do
+    source = [
+      'module Foo::Bar',
+      '  class Baz',
+      '  end',
+      'end',
+    ].join("\n")
+
+    FileUtils.mkdir_p "#{models_dir}/bar"
+    File.open "#{models_dir}/bar/baz.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses.map(&:line).sort).to eq([1, 2])
+    expect(cop.offenses.last.message).to include('Class Baz should be defined in foo/bar/baz.rb.')
+  end
+
+  it 'accepts if class declaration is in a file with matching name and parent module uses ::' do
+    source = [
+      'module Foo::Bar',
+      '  class Baz',
+      '  end',
+      'end',
+    ].join("\n")
+
+    FileUtils.mkdir_p "#{models_dir}/foo/bar"
+    File.open "#{models_dir}/foo/bar/baz.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses).to be_empty
+  end
+
+  it 'accepts class declaration where the containing class uses an acronym' do
+    source = [
+      'module CSVFoo',
+      '  class Baz',
+      '  end',
+      'end',
+    ].join("\n")
+
+    FileUtils.mkdir_p "#{models_dir}/csv_foo"
+    File.open "#{models_dir}/csv_foo/baz.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses).to be_empty
+  end
+
+  it 'ignores class/module declaration in a rake task' do
+    source = [
+      'class Baz',
+      'end',
+    ].join("\n")
+
+    File.open "#{models_dir}/foo.rake", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses).to be_empty
+  end
+
+  it 'suggests moving error classes into the file that defines the owning scope' do
+    source = [
+      'module Foo',
+      '  class BarError < StandardError; end',
+      'end',
+    ].join("\n")
+
+    File.open "#{models_dir}/bar.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses.map(&:line)).to include(2)
+    expect(cop.offenses.map(&:message)).to include(%r{Class BarError should be defined in foo\.rb.})
+  end
+
+  it 'recognizes error class based on the superclass name' do
+    source = [
+      'module Foo',
+      '  class Bar < StandardError; end',
+      'end',
+    ].join("\n")
+
+    File.open "#{models_dir}/bar.rb", "w" do |file|
+      inspect_source(source, file)
+    end
+
+    expect(cop.offenses.map(&:line)).to include(2)
+    expect(cop.offenses.map(&:message)).to include(%r{Class Bar should be defined in foo\.rb.})
+  end
+end