rubocop-betterment 1.13.0 → 1.14.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cc4eabc0685d064150b4545175e96ee1c848ad32f53bf35f83b5125a7c309b82
-  data.tar.gz: 258718477b39bb37af975daae5f1d4db1ea7e4adb55d7b8ee6b3757aee5dbfbd
+  metadata.gz: 72ecfa7e731527b0864a131730eb79829789b2b34647dd73ed6b17bdc5c5e630
+  data.tar.gz: 5337dbddc978a69778f40dde95c9136e83df54bf90e5b5eb122aaa925cf14e97
 SHA512:
-  metadata.gz: 692eb066b0e6b45d0c7049f90acc66c600d1a6b24793ba691975112ccd5a7ddcfc01b3674dc180fecf9eb75dd4445c826d30864b4fbea1768e53df1fceb1c2e4
-  data.tar.gz: 7cee25dc098dbabbdac9ae42a10ada567047e211c445cb6ecef7405ae6da89a03927c044f3fb9781a2bb6e48b7fb3fa1f608f820076d4828159477cee8864914
+  metadata.gz: 9a1a2417233fd6494e0e4a99d4423fe0c1b051aaeb6e54cafe23791622f612afb48d169f06a4d23911a614fb19e937f3862743141915facc4bfdfbe64dd6bcd0
+  data.tar.gz: f0beed1cf45c911d169061c703db710d05400da4ddc13cf16151338668bb023df9b98fe311e863caca8fa4979f099ab054ccf8c40eebac070ed52f6bf6a0135a

data/README.md

@@ -20,13 +20,104 @@ inherit_gem:
     - config/default.yml
 ```
 
-## Custom Cops
-
-All cops are located under [`lib/rubocop/cop/betterment`](lib/rubocop/cop/betterment)
-
 ## Dependencies
 
 This gem depends on the following other gems:
 
 - rubocop
 - rubocop-rspec
+
+## Custom Cops
+
+All cops are located under [`lib/rubocop/cop/betterment`](lib/rubocop/cop/betterment)
+
+### Betterment/AuthorizationInController
+
+This cop looks for unsafe handling of id-like parameters in controllers that may lead to mass assignment style vulnerabilities. It does this by tracking methods that retrieve input from the client and variables that hold onto these values. Any models initialized or updated using these values will then be flagged by the cop. Take this example controller:
+
+```ruby
+class Controller
+  def create_params
+    params.permit(:user_id, :language)
+  end
+
+  def create
+    info = params.permit(:user_id)
+    Model.new(user_id: info[:user_id], language: params[:language])
+    Model.new(user_id: params[:user_id], language: params[:language])
+    Model.new(create_params)
+  end
+end
+```
+
+All three `Model.new` calls may be susceptible to a mass assignment vulnerability. To address these vulnerabilities, some form of authorization will be needed to ensure that the user issuing this request is allowed to create a `Model` that references the specific `user_id`. To get a better understanding of what this cop flags and doesn't flag, take a look at its [spec](spec/rubocop/cop/betterment/authorization_in_controller_spec.rb).
+
+In cases where more fine-grained control over what parameters are considered sensitive is desired, two configuration options can be used: `unsafe_parameters` and `unsafe_regex`. By default this cop will flag unsafe uses of any parameters whose names end in `_id`, but additional parameters can be specified by configuring `unsafe_parameters`. In cases where the default pattern of `.*_id` is insufficient or incorrect, this regex can be swapped out by specifying the `unsafe_regex` configuration option. In total, this cop will flag any parameters whose names are on the `unsafe_parameters` list or matches the `unsafe_regex` pattern.
+
+This is what a full configuration of this cop may look like:
+
+```yaml
+Betterment/AuthorizationInController:
+  # Limit this cop just to controllers
+  Include:
+    - 'app/controllers/**/*.rb'
+  unsafe_parameters:
+    - username
+    - misc_unsafe_parameter
+  unsafe_regex: '.*_id$'
+```
+
+### Betterment/UnscopedFind
+
+This cop flags code that passes user input directly into a `find`-like call that may lead to authorization issues. For example, a controller that uses user input to find a document will need to ensure that the user is authorized to access that document. Take the following sample:
+
+```ruby
+class Controller
+  def index
+    @document = Document.find(params[:document_id])
+  end
+end
+```
+
+In this case, `@document` may not belong to the user and authorization will have to be done somewhere else, potentially introducing a vulnerability. One way to address this violation is to replace the `Document.find(...)` call with a `current_user.documents.find(...)` call. This fails fast when `current_user` is not authorized to access the document, without an extra authorization check that a `Document.find` call would require.
+
+When dealing with models whose data is not ever considered private, it may make sense to add them to the `unauthenticated_models` configuration option. For example, reference data such as `ZipCode` or `Language` may be represented using models, but may not make sense to enforce any form of authentication. Take the sample controller below:
+
+```ruby
+class Controller < UnauthenticatedWebappController
+  def index
+    @language = Language.find(params[:language])
+    @zip = ZipCode.find(params[:zip])
+  end
+end
+```
+
+There is nothing specific to a user or otherwise anything sensitive about `Language` or `ZipCode`. The cop can be configured to treat these models as unauthenticated so that calling `find`-like methods with them will not trigger any violations:
+
+```yaml
+Betterment/UnscopedFind:
+  unauthenticated_models:
+    - Language
+    - ZipCode
+```
+
+### Betterment/DynamicParams
+
+This cop flags code that accesses parameters whose names may be dynamically generated, such as a list of parameters in an a global variable or a return value from a method. In some cases, dynamically accessing parameter names can obscure what the client is expected to send and may make it difficult to reason about the code, both manually and programmatically. For example:
+
+```ruby
+class Controller
+  def create_param_names
+    %i(user_id first_name last_name)
+  end
+
+  def create
+    parameter_name = :user_id
+    params.permit(parameter_name)
+    params.permit(create_params_names)
+    params.permit(%w(blog post comment).flat_map { |p| ["#{p}_name", "#{p}_title"] })
+  end
+end
+```
+
+All three `params.permit` calls will be flagged.

data/config/default.yml

@@ -17,6 +17,10 @@ AllCops:
   DisplayStyleGuide: true
   DisplayCopNames: true
 
+Betterment/AuthorizationInController:
+  Description: 'Detects unsafe handling of id-like parameters in controllers.'
+  Enabled: false
+
 Betterment/SitePrismLoaded:
   Include:
     - 'spec/features/**/*_spec.rb'

data/lib/rubocop/cop/betterment.rb

@@ -1,4 +1,7 @@
 require 'rubocop'
+require 'rubocop/cop/betterment/authorization_in_controller'
+require 'rubocop/cop/betterment/dynamic_params'
+require 'rubocop/cop/betterment/unscoped_find'
 require 'rubocop/cop/betterment/timeout'
 require 'rubocop/cop/betterment/memoization_with_arguments'
 require 'rubocop/cop/betterment/site_prism_loaded'

data/lib/rubocop/cop/betterment/authorization_in_controller.rb

@@ -0,0 +1,280 @@
+module RuboCop
+  module Cop
+    module Betterment
+      class AuthorizationInController < Cop
+        attr_accessor :unsafe_parameters, :unsafe_regex
+
+        # MSG_UNSAFE_CREATE = 'Model created/updated using unsafe parameters'.freeze
+        MSG_UNSAFE_CREATE = <<~MSG.freeze
+          Model created/updated using unsafe parameters.
+          Please query for the associated record in a way that enforces authorization (e.g. "trust-root chaining"),
+          and then pass the resulting object into your model instead of the unsafe parameter.
+
+          INSTEAD OF THIS:
+          post_parameters = params.permit(:album_id, :caption)
+          Post.new(post_parameters)
+
+          DO THIS:
+          album = current_user.albums.find(params[:album_id])
+          post_parameters = params.permit(:caption).merge(album: album)
+          Post.new(post_parameters)
+
+          See here for more information on this error:
+          https://github.com/Betterment/rubocop-betterment/blob/master/README.md#bettermentauthorizationincontroller
+        MSG
+
+        def_node_matcher :model_new?, <<-PATTERN
+          (send (const ... _) {:new :build :create :create! :find_or_create_by :find_or_create_by! :find_or_initialize_by :find_or_initialize_by!} ...)
+        PATTERN
+
+        def_node_matcher :model_update?, <<-PATTERN
+          (send (...) {:assign_attributes :update :update! :find_or_create_by :find_or_create_by! :find_or_initialize_by :find_or_initialize_by! :update_attribute :update_attributes :update_attributes! :update_all :update_column :update_columns} ...)
+        PATTERN
+
+        def initialize(config = nil, options = nil)
+          super(config, options)
+          config = @config.for_cop(self)
+          @unsafe_parameters = config.fetch("unsafe_parameters", []).map(&:to_sym)
+          @unsafe_regex = Regexp.new config.fetch("unsafe_regex", ".*_id$")
+          @wrapper_methods = {}
+          @wrapper_names = []
+        end
+
+        def on_class(node)
+          track_methods(node)
+          track_assignments(node)
+        end
+
+        def on_send(node) # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity
+          _receiver_node, _method_name, *arg_nodes = *node
+
+          return if !model_new?(node) && !model_update?(node)
+
+          arg_nodes.each do |argument|
+            if argument.type == :send
+              tag_unsafe_param_hash(argument)
+              tag_unsafe_param_permit_wrapper(argument)
+            elsif argument.variable?
+              tag_unsafe_param_permit_wrapper(argument)
+            elsif argument.type == :hash
+              argument.children.each do |pair|
+                next if pair.type != :pair
+
+                _key, value = *pair.children
+                tag_unsafe_param_hash(value)
+                tag_unsafe_param_permit_wrapper(value)
+              end
+            end
+          end
+        end
+
+        private
+
+        def tag_unsafe_param_hash(node)
+          unsafe_param = extract_parameter(node)
+          add_offense(unsafe_param, message: MSG_UNSAFE_CREATE) if unsafe_param
+        end
+
+        def tag_unsafe_param_permit_wrapper(node)
+          return if !node.send_type? && !node.variable?
+          return if node.send_type? && (node.method_name == :[])
+
+          name = get_root_token(node)
+          add_offense(node, message: MSG_UNSAFE_CREATE) if @wrapper_names.include?(name)
+        end
+
+        # if a method returns params[...] or params.permit(...) then it will
+        # be tracked; if the method does not explicitly return a params
+        # sourced argument, then it will not be tracked
+        def track_methods(node)
+          methods = get_all_methods(node)
+
+          methods.map do |method|
+            method_returns = get_return_values(method)
+
+            unless get_param_wrappers(method_returns).empty?
+              @wrapper_methods[method.method_name] = method
+              @wrapper_names << method.method_name
+            end
+          end
+        end
+
+        # keep track of all assignments that hold parameters
+        def track_assignments(node)
+          get_all_assignments(node).each do |assignment|
+            variable_name, value = *assignment
+
+            # if rhs calls params.permit, eg
+            # - @var = params.permit(...)
+            rhs_wrapper = get_param_wrappers([value])
+            unless rhs_wrapper.empty?
+              @wrapper_methods[variable_name] = rhs_wrapper[0]
+              @wrapper_names << variable_name
+            end
+
+            # if rhs is a call to a parameter wrapper, eg
+            # @var = parameter_wrapper
+            root_token = get_root_token(value)
+            if root_token && @wrapper_names.include?(root_token)
+              @wrapper_methods[variable_name] = assignment
+              @wrapper_names << variable_name
+            end
+
+            # if rhs extracts a parameter, eg
+            # @var = params[:user_id]
+            if extract_parameter(value)
+              @wrapper_methods[variable_name] = assignment
+              @wrapper_names << variable_name
+            end
+          end
+        end
+
+        def explicit_returns(node)
+          node.descendants.select(&:return_type?).map { |x|
+            x&.children&.first
+          }.compact
+        end
+
+        def get_return_values(node) # rubocop:disable Metrics/AbcSize
+          return [] unless node
+          return explicit_returns(node) + get_return_values(node.body) if node.def_type?
+          return [node] if node.literal? || node.variable?
+
+          case node.type
+            when :begin
+              get_return_values(node.children.last)
+            when :block
+              get_return_values(node.body)
+            when :if
+              if_rets = get_return_values(node.if_branch)
+              else_rets = get_return_values(node.else_branch)
+              if_rets + else_rets
+            when :case
+              cases = []
+              node.each_when do |block|
+                cases += get_return_values(block.body)
+              end
+
+              cases + get_return_values(node.else_branch)
+            when :send
+              [node]
+            else
+              []
+          end
+        end
+
+        def get_all_assignments(node)
+          return [] unless node.children && node.type == :class
+
+          node.descendants.select do |descendant|
+            _lhs, rhs = *descendant
+            descendant.equals_asgn? && (descendant.type != :casgn) && rhs&.send_type?
+          end
+        end
+
+        def param_symbol?(name)
+          name == :params
+        end
+
+        def get_all_methods(node)
+          return [] unless node.children && node.type == :class
+
+          node.descendants.select do |descendant|
+            descendant.type == :def
+          end
+        end
+
+        # fetches the name of the leftmost ("root") token
+        # @vars.merge(this: that).merge(etc: etc) => @vars
+        # params.permit(:this) => params
+        # params[:field] => params
+        def get_root_token(node) # rubocop:disable Metrics/PerceivedComplexity, Metrics/AbcSize
+          return nil unless node
+
+          return get_root_token(node.receiver) if node.receiver
+
+          if node.send_type?
+            name = node.method_name
+          elsif node.variable?
+            name, = *node
+          elsif node.literal?
+            _, name = *node
+          elsif node.const_type?
+            name = node.const_name
+          elsif node.sym_type?
+            name = node.value
+          elsif node.variable?
+            name = node.children[0]
+          elsif node.parenthesized_call?
+            name = nil
+          else
+            raise "Unknown node type: #{node.type.inspect}"
+          end
+
+          name
+        end
+
+        # this finds all calls to any method on a params like object
+        # then walks up to find calls to permit
+        # if the arguments to permit are "suspicious", then we add
+        # the whole method to a list of methods that wrap params.permit
+        def get_param_wrappers(methods) # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity
+          wrappers = []
+
+          methods.each do |method|
+            return [] unless method.type == :def || method.type == :send
+
+            method.descendants.each  do |child|
+              next unless child.type == :send
+              next unless param_symbol?(child.method_name)
+
+              child.ancestors.each do |ancestor|
+                _receiver_node, method_name, *arg_nodes = *ancestor
+                next unless ancestor.send_type?
+                next unless method_name == :permit
+
+                # we're only interested in calls to params.....permit(...)
+                wrappers << method if contains_id_param?(arg_nodes)
+              end
+            end
+          end
+
+          wrappers
+        end
+
+        def sym_or_str?(arg)
+          %i(sym str).include?(arg.type)
+        end
+
+        def array_or_hash?(arg)
+          %i(array hash).include?(arg.type)
+        end
+
+        def contains_id_param?(arg_nodes)
+          arg_nodes.any? do |arg|
+            sym_or_str?(arg) && suspicious_id?(arg.value) ||
+              array_or_hash?(arg) && contains_id_param?(arg.values)
+          end
+        end
+
+        # check a symbol name against the cop's config parameters
+        def suspicious_id?(symbol_name)
+          @unsafe_parameters.include?(symbol_name.to_sym) || @unsafe_regex.match(symbol_name) # symbol_name.to_s.end_with?("_id")
+        end
+
+        def extract_parameter(argument)
+          _receiver_node, method_name, *arg_nodes = *argument
+          return unless argument.send_type? && method_name == :[]
+
+          argument_name = get_root_token(argument)
+
+          if param_symbol?(argument_name) || @wrapper_names.include?(argument_name)
+            arg_nodes.find do |arg|
+              sym_or_str?(arg) && suspicious_id?(arg.value)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/betterment/dynamic_params.rb

@@ -0,0 +1,62 @@
+module RuboCop
+  module Cop
+    module Betterment
+      class DynamicParams < Cop
+        MSG_DYNAMIC_PARAMS = <<~MSG.freeze
+          Parameter names accessed dynamically, cannot determine safeness. Please inline the keys explicitly when calling `permit` or when accessing `params` like a hash.
+
+          See here for more information on this error:
+          https://github.com/Betterment/rubocop-betterment/blob/master/README.md#bettermentdynamicparams
+        MSG
+
+        def_node_matcher :permit_or_hash?, <<-PATTERN
+          (send (...) {:[] :permit} ...)
+        PATTERN
+
+        def on_send(node)
+          _, _, *arg_nodes = *node
+          return unless permit_or_hash?(node) && get_root_token(node) == :params
+
+          dynamic_param = find_dynamic_param(arg_nodes)
+          add_offense(dynamic_param, message: MSG_DYNAMIC_PARAMS) if dynamic_param
+        end
+
+        private
+
+        def find_dynamic_param(arg_nodes)
+          return unless arg_nodes
+
+          arg_nodes.find do |arg|
+            arg.type == :array && find_dynamic_param(arg.values) || !arg.literal? && !arg.const_type?
+          end
+        end
+
+        def get_root_token(node) # rubocop:disable Metrics/PerceivedComplexity, Metrics/AbcSize
+          return nil unless node
+
+          return get_root_token(node.receiver) if node.receiver
+
+          if node.send_type?
+            name = node.method_name
+          elsif node.variable?
+            name, = *node
+          elsif node.literal?
+            _, name = *node
+          elsif node.const_type?
+            name = node.const_name
+          elsif node.sym_type?
+            name = node.value
+          elsif node.variable?
+            name = node.children[0]
+          elsif node.parenthesized_call?
+            name = nil
+          else
+            raise "Unknown node type: #{node.type.inspect}"
+          end
+
+          name
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/betterment/unscoped_find.rb

@@ -0,0 +1,101 @@
+module RuboCop
+  module Cop
+    module Betterment
+      class UnscopedFind < Cop
+        attr_accessor :unauthenticated_models
+
+        MSG = <<~MSG.freeze
+          Records are being retrieved directly using user input.
+          Please query for the associated record in a way that enforces authorization (e.g. "trust-root chaining").
+
+          INSTEAD OF THIS:
+          Post.find(params[:post_id])
+
+          DO THIS:
+          current_user.posts.find(params[:post_id])
+
+          See here for more information on this error:
+          https://github.com/Betterment/rubocop-betterment/blob/master/README.md#bettermentunscopedfind
+        MSG
+        METHOD_PATTERN = /^find_by_(.+?)(!)?$/.freeze
+        FINDS = %i(find find_by find_by! where).freeze
+
+        def_node_matcher :custom_scope_find?, <<-PATTERN
+          (send (send (const ... _) ...) {#{FINDS.map(&:inspect).join(' ')}} ...)
+        PATTERN
+
+        def_node_matcher :find?, <<-PATTERN
+          (send (const ... _) {#{FINDS.map(&:inspect).join(' ')}} ...)
+        PATTERN
+
+        def initialize(config = nil, options = nil)
+          super(config, options)
+          config = @config.for_cop(self)
+          @unauthenticated_models = config.fetch("unauthenticated_models", [])
+        end
+
+        def on_send(node)
+          _, _, *arg_nodes = *node
+          return unless
+            (
+                find?(node) ||
+                custom_scope_find?(node) ||
+                static_method_name(node.method_name)
+            ) && !@unauthenticated_models.include?(get_root_token(node))
+
+          add_offense(node, message: MSG) if find_param_arg(arg_nodes)
+        end
+
+        private
+
+        def find_param_arg(arg_nodes)
+          return unless arg_nodes
+
+          arg_nodes.find do |arg|
+            if arg.type == :hash
+              arg.children.each do |pair|
+                _key, value = *pair.children
+                return arg if get_root_token(value) == :params
+              end
+            end
+            get_root_token(arg) == :params
+          end
+        end
+
+        # yoinked from Rails/DynamicFindBy
+        def static_method_name(method_name)
+          match = METHOD_PATTERN.match(method_name)
+          return nil unless match
+
+          match[2] ? 'find_by!' : 'find_by'
+        end
+
+        def get_root_token(node) # rubocop:disable Metrics/PerceivedComplexity, Metrics/AbcSize
+          return nil unless node
+
+          return get_root_token(node.receiver) if node.receiver
+
+          if node.send_type?
+            name = node.method_name
+          elsif node.variable?
+            name, = *node
+          elsif node.literal?
+            _, name = *node
+          elsif node.const_type?
+            name = node.const_name
+          elsif node.sym_type?
+            name = node.value
+          elsif node.variable?
+            name = node.children[0]
+          elsif node.parenthesized_call?
+            name = nil
+          else
+            raise "Unknown node type: #{node.type.inspect}"
+          end
+
+          name
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-betterment
 version: !ruby/object:Gem::Version
-  version: 1.13.0
+  version: 1.14.0
 platform: ruby
 authors:
 - Development
@@ -91,11 +91,14 @@ files:
 - STYLEGUIDE.md
 - config/default.yml
 - lib/rubocop/cop/betterment.rb
+- lib/rubocop/cop/betterment/authorization_in_controller.rb
+- lib/rubocop/cop/betterment/dynamic_params.rb
 - lib/rubocop/cop/betterment/implicit_redirect_type.rb
 - lib/rubocop/cop/betterment/memoization_with_arguments.rb
 - lib/rubocop/cop/betterment/site_prism_loaded.rb
 - lib/rubocop/cop/betterment/spec_helper_required_outside_spec_dir.rb
 - lib/rubocop/cop/betterment/timeout.rb
+- lib/rubocop/cop/betterment/unscoped_find.rb
 homepage: 
 licenses:
 - MIT
@@ -115,7 +118,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.3
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Betterment rubocop configuration