rubocop-config-captive 1.6.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b5756c218562b8bb428e080131872a1d86d05631ab0356b2a22b36411733732c
-  data.tar.gz: 70e0e42455ef3fa6dd8f69fd2192f4961cc9d8eebab8d60a10b68b96a359379d
+  metadata.gz: dc7cafbd64157ecadbe86b5ec9b5c0c1c1947db2f59d8951769d24eeb159f90d
+  data.tar.gz: 38307a0c2f1e10efaaa73bc7fdd4645bbccfe9e6e2455071895d7bca2b9ef75a
 SHA512:
-  metadata.gz: 020a795f4efc08e561f4c280bc2c1016b08d1d3819e11c5f9a17971aa6ada85dd96a768aa4875ddf3056dcc1fb63afb8e904416918ef29c16efb19f0bd696000
-  data.tar.gz: c968e241425d6ab95fd76b22d7c3edcf49dda21760ca7c9dbff05ee89e3d8db25ba85b2b79a343ca4b88a31d0b000d4d850eef53300f34aabb5e01c05a0b014d
+  metadata.gz: 58ee32d3d141b8a123e50e7b4f0c9ee1d5186108f6d5cc9843633a44c5d79cbaaf32b53349a929e51bc08a341a8b489a76193b3b08dab91306336e10194022be
+  data.tar.gz: 5d7d19dee91bbf9d92e393d27148c1f31996f4b13c1a72b7fd385600f934d3421b4441705b3f47b61e54310f16ed1e1cd88db67c34681fe9b641dfc53e04b9c6

data/config/default.yml

@@ -25,8 +25,8 @@ AllCops:
 
     # Additional exclude files by rubocop-rails_config
     # @see https://github.com/toshimaru/rubocop-rails_config/blob/main/config/rails.yml#L20
-    - 'bin/**/*'
-    - 'db/schema.rb'
+    - '**/bin/**/*'
+    - '**/db/schema.rb'
 
 
 

data/config/rubocop-captive.yml

@@ -5,6 +5,7 @@ require:
   - ../lib/rubocop/cop/captive/translation/kaminari_i18n_presence.rb
   - ../lib/rubocop/cop/captive/rspec/specify_before_parameter.rb
   - ../lib/rubocop/cop/captive/rails/no_email_from_controller.rb
+  - ../lib/rubocop/cop/captive/rails/force_ssl_enabled_in_production.rb
   - ../lib/rubocop/cop/captive/string_where_in_scope.rb
   - ../lib/rubocop/cop/captive/no_app_env.rb
 
@@ -42,6 +43,12 @@ Captive/Rails/NoEmailFromController:
   Include:
     - 'app/controllers/**/*'
 
+# Rails
+Captive/Rails/ForceSslEnabledInProduction:
+  Description: "Ensures SSL is forced in production, so that secure cookies are used."
+  Include:
+    - 'config/environments/production.rb'
+
 # other
 Captive/StringWhereInScope:
   Description: 'The `where` method should be used in a scope in a model.'

data/config/rubocop-layout.yml

@@ -44,7 +44,8 @@ Layout/LineLength:
   # Disable LineLength on comments
   AllowedPatterns: ['^(\s*#)']
   Exclude:
-    - 'spec/**/*.rb'
-    - 'test/**/*.rb'
+    - '**/*.gemspec'
+    - '**/spec/**/*.rb'
+    - '**/test/**/*.rb'
     - '**/*_spec.rb'
     - '**/*_test.rb'

data/lib/rubocop/captive/version.rb

@@ -3,6 +3,6 @@
 module RuboCop
   module Captive
     # Version information for the the Airbnb RuboCop plugin.
-    VERSION = "1.6.0"
+    VERSION = "1.8.0"
   end
 end

data/lib/rubocop/cop/captive/rails/force_ssl_enabled_in_production.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Captive
+      module Rails
+        ##
+        # This cop ensures the config force_ssl is set to true.
+        #
+        # Pourquoi il faut configurer le `force_ssl` à `true` en production ?
+        # 1) Ça redirige les requêtes http → https. C’est une option que permet également le routeur de Scalingo
+        # 2) Ça ajoute un flag `Secure` sur les Cookies. S’il n’est pas présent, c’est considéré comme une vulnérabilité car ça peut permettre à un pirate de récupérer le cookie en HTTP et potentiellement voler la session.
+        # @see https://www.notion.so/captive/Corriger-la-vuln-rabilit-Insecure-cookie-setting-missing-Secure-flag-7962ae24774d4de39dcda5a80cca4fcf?pvs=26&qid=
+        # @see https://support.detectify.com/support/solutions/articles/48001048982-cookie-lack-secure-flag article détaillant la sécurité du cookie
+        class ForceSslEnabledInProduction < Base
+          extend AutoCorrector
+
+          MSG = "force_ssl should be enabled in production."
+
+          def on_send(node)
+            if setting_force_ssl_not_true?(node)
+              add_offense(node, message: MSG) do |corrector|
+                # Replace with 'true' only if the argument is not already 'true'
+                unless node.arguments.first.true_type?
+                  corrector.replace(
+                    node.arguments.first.source_range,
+                    "true"
+                  )
+                end
+              end
+            end
+          end
+
+          def on_new_investigation
+            processed_source.comments.each do |comment|
+              check_comment(comment)
+            end
+          end
+
+          private
+
+          def setting_force_ssl_not_true?(node)
+            node.method_name == :force_ssl= && !node.arguments.first.true_type?
+          end
+
+          def check_comment(comment)
+            return unless force_ssl_commented?(comment.text)
+
+            add_offense(comment.loc.expression, message: MSG) do |corrector|
+              corrector.replace(comment.loc.expression, "config.force_ssl = true")
+            end
+          end
+
+          def force_ssl_commented?(comment_text)
+            comment_text.match?(/^\s*#.*config\.force_ssl\s*=\s*true/)
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-config-captive
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Captive
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-08-02 00:00:00.000000000 Z
+date: 2023-11-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -169,6 +169,7 @@ files:
 - lib/rubocop/captive/version.rb
 - lib/rubocop/cop/captive/active_admin/active_admin_addons_presence.rb
 - lib/rubocop/cop/captive/no_app_env.rb
+- lib/rubocop/cop/captive/rails/force_ssl_enabled_in_production.rb
 - lib/rubocop/cop/captive/rails/no_email_from_controller.rb
 - lib/rubocop/cop/captive/rspec/specify_before_parameter.rb
 - lib/rubocop/cop/captive/string_where_in_scope.rb