rubocop-eightyfourcodes 0.0.2 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: caa8bb23e13eed6bbcb9e59c2a4a76db329ae6ec62c7efe251cdcc6e794beff3
-  data.tar.gz: fdc49e8b5e58feb5e438d6c2cc0183cf20a194175cc2fea9c970939d4d51c751
+  metadata.gz: a2337a72314ad6423017df81a2dcf8f83013dc6e873fd69b5125378182721640
+  data.tar.gz: b32af92eabaeea8c0d9d87f65bfdcbc7143dfe57721a389ad1c883f287134559
 SHA512:
-  metadata.gz: 7669d1010b6d8521ffbf0b61d0c858c62d851df29c0f3144a5a010ae021737df911488393a8b4538505e774b96e138f769196ae1e514f57558df71cb5dab9517
-  data.tar.gz: 56f7910d7429f6592cf1f3a9ef54b7c02690b55545f1f45f9c02d872249bf3d6c79e815615fe922f4ce22526bcebf7cda73678f9f634f1dbe50504af44664e76
+  metadata.gz: af6326b9251b078270670d986af36041e0af768bb69d29ba9e960f0663dc420444e333057b886714c4184ac1201624d2ab0cd34f5b1425860f70c9e0b666c747
+  data.tar.gz: 84565456b4a0c98c085ec35f86da4bd4765a399b822068d6a51df0129ab786dc0ba97a147e221b187a48b3690bb130cc77592b035c447f6da92aaf8e48c50efc

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,16 @@
+plugins:
+  - rubocop-rspec
+  - rubocop-rake
+
+AllCops:
+  NewCops: enable
+  Exclude:
+    - 'lib/rubocop/cop/gitlab_security/*.rb'
+    - 'spec/rubocop/cop/gitlab_security/*.rb'
+    # avoid linting installed gems when running in GitHub Actions
+    - '**/vendor/bundle/**/*' 
+Naming/FileName:
+  Exclude:
+    - lib/rubocop-eightyfourcodes.rb
+RSpec/ExampleLength:
+  Max: 10

data/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.0.3 (2024-10-23)
+
+- Recreated entire project using <https://github.com/rubocop/rubocop-extension-generator>
+- Added `EnsureRedirect`
+
 ## 0.0.2 (2020-09-24)
 
 - Added `RubyVersionFile`: Ensure we read Gemfile ruby version from `.ruby-version` file

data/Gemfile

@@ -1,9 +1,15 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
+# Specify your gem's dependencies in rubocop-eightyfourcodes.gemspec
 gemspec
 
 group :development, :test do
-  gem 'pry'
-  gem 'rspec', '~> 3.6.0'
-  gem 'rubocop-rspec', '~> 1.21.0'
+  gem 'rake'
+  gem 'rspec'
+  gem 'rubocop'
+  gem 'rubocop-rake'
+  gem 'rubocop-rspec'
+  gem 'yard'
 end

data/Gemfile.lock

@@ -0,0 +1,75 @@
+PATH
+  remote: .
+  specs:
+    rubocop-eightyfourcodes (0.0.4)
+      rubocop (< 2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.2)
+    diff-lcs (1.6.0)
+    json (2.10.2)
+    language_server-protocol (3.17.0.4)
+    lint_roller (1.1.0)
+    parallel (1.26.3)
+    parser (3.3.7.1)
+      ast (~> 2.4.1)
+      racc
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.2.1)
+    regexp_parser (2.10.0)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.3)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.2)
+    rubocop (1.74.0)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.40.0)
+      parser (>= 3.3.1.0)
+    rubocop-rake (0.7.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1)
+    rubocop-rspec (3.5.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    ruby-progressbar (1.13.0)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
+    yard (0.9.37)
+
+PLATFORMS
+  arm64-darwin-23
+  ruby
+
+DEPENDENCIES
+  rake
+  rspec
+  rubocop
+  rubocop-eightyfourcodes!
+  rubocop-rake
+  rubocop-rspec
+  yard
+
+BUNDLED WITH
+   2.6.4

data/LICENSE.md

@@ -1,4 +1,6 @@
-Copyright (c) 2019 eightyfourcodes AB
+The MIT License (MIT)
+
+Copyright (c) 2024 84codes AB
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
@@ -7,13 +9,13 @@ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
 
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -1,20 +1,16 @@
+# Rubocop::EightyFourCodes
+
 This is a collection of cops developed and used by 84codes AB
-This code is based heavily upon the [rubocop-gitlab-security](https://gitlab.com/gitlab-org/rubocop-gitlab-security)
-code released under the MIT License.
 
 ## Installation
 
-Just install the `rubocop-eightyfourcodes` gem
+Install the gem and add to the application's Gemfile by executing:
 
-```bash
-gem install rubocop-eightyfourcodes
-```
+    bundle add rubocop-eightyfourcodes --require=false
 
-or if you use bundler put this in your `Gemfile`
+If bundler is not being used to manage dependencies, install the gem by executing:
 
-```yaml
-gem 'rubocop-eightyfourcodes'
-```
+    gem install rubocop-eightyfourcodes
 
 ## Usage
 
@@ -32,64 +28,20 @@ require: rubocop-eightyfourcodes
 Now you can run `rubocop` and it will automatically load the RuboCop eightyfourcodes
 cops together with the standard cops.
 
-### Command line
-
-```bash
-rubocop --require rubocop-eightyfourcodes
-```
-
-### Rake task
+## Development
 
-```ruby
-RuboCop::RakeTask.new do |task|
-  task.requires << 'rubocop-eightyfourcodes'
-end
-```
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
-## Inspecting specific files
+Use `bundle exec rake 'new_cop[EightyFourCodes/CommandLiteralInjection]'` to generate a new cop.
 
-By default, `rubocop-eightyfourcodes` inspects all files. You can override this setting in your config file by specifying one or more patterns:
+The [NodePattern Debugger](https://nodepattern.herokuapp.com/) is a very helpful resource when creating new AST matchers.
 
-```yaml
-# Inspect all files
-AllCops:
-  EightyFourCodes:
-    Patterns:
-    - '.+'
-```
-
-```yaml
-# Inspect only controller files.
-AllCops:
-  EightyFourCodes:
-    Patterns:
-    - app/controllers/**/*.rb
-```
-
-## The Cops
-
-All cops are located under
-[`lib/rubocop/cop/eighty_four_codes`](lib/rubocop/cop/eighty_four_codes), and contain
-examples/documentation.
-
-In your `.rubocop.yml`, you may treat the eightyfourcodes cops just like any other
-cop. For example:
-
-```yaml
-EightyFourCodes/CommandLiteralInjection:
-  Exclude:
-    - 'spec/**/*'
-```
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## Contributing
 
-1. Fork it
-2. Create your feature branch (`git checkout -b my-new-feature`)
-3. Commit your changes (`git commit -am 'Add some feature'`)
-4. Push to the branch (`git push origin my-new-feature`)
-5. Create new Merge Request
+Bug reports and pull requests are welcome on GitHub at <https://github.com/84codes/rubocop-eightyfourcodes>.
 
 ## License
 
-`rubocop-eightyfourcodes` is MIT licensed. [See the accompanying file](LICENSE.md) for
-the full text.
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]
+
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = FileList['spec/**/*_spec.rb']
+end
+
+desc 'Generate a new cop with a template'
+task :new_cop, [:cop] do |_task, args|
+  require 'rubocop'
+
+  cop_name = args.fetch(:cop) do
+    warn 'usage: bundle exec rake new_cop[Department/Name]'
+    exit!
+  end
+
+  generator = RuboCop::Cop::Generator.new(cop_name)
+
+  generator.write_source
+  generator.write_spec
+  generator.inject_require(root_file_path: 'lib/rubocop/cop/eightyfourcodes_cops.rb')
+  generator.inject_config(config_file_path: 'config/default.yml')
+
+  puts generator.todo
+end

data/config/default.yml

@@ -1,15 +1,43 @@
 ---
-AllCops:
-  EightyFourCodes:
-    Patterns:
-      - ".+"
-
 EightyFourCodes/CommandLiteralInjection:
-  Description: "Check for Command Injection in `` and %x"
+  Description: "Do not include variables command literals"
   Enabled: true
   VersionAdded: "0.0.1"
-
 EightyFourCodes/RubyVersionFile:
-  Description: "Ensure .ruby-version file use in Gemfile"
+  Description: "Control Ruby version via .ruby-version"
   Enabled: true
   VersionAdded: "0.0.2"
+EightyFourCodes/EnsureRedirect:
+  Description: "Checks for `redirect` from an `ensure` block"
+  Enabled: true
+  VersionAdded: "0.0.3"
+GitlabSecurity/DeepMunge:
+  Description: "Checks for disabling the deep munge security control."
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/JsonSerialization:
+  Description: "Checks for `to_json` / `as_json` without allowing via `only`."
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/PublicSend:
+  Description: "Checks for the use of `public_send`, `send`, and `__send__` methods."
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/RedirectToParamsUpdate:
+  Description: "Check for use of redirect_to(params.update())"
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/SendFileParams:
+  Description: "Check for use of send_file(..., params[], ...)"
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/SqlInjection:
+  Description: |
+    Check for use of where("name = '#{params[:name]}'")"
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/SystemCommandInjection:
+  Description: |
+    Check for use of system("/bin/ls #{params[:file]}")
+  Enabled: true
+  VersionAdded: "0.0.4"

data/lib/rubocop/cop/eighty_four_codes/command_literal_injection.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module RuboCop
   module Cop
     module EightyFourCodes
@@ -15,8 +17,8 @@ module RuboCop
       #   # even better
       #   exec("/bin/ls", shell_escape(filename))
       #
-      class CommandLiteralInjection < RuboCop::Cop::Cop
-        MSG = 'Do not include variables command literals. Use parameters "system(cmd, params)" or exec() instead'.freeze
+      class CommandLiteralInjection < Base
+        MSG = 'Do not include variables command literals. Use parameters "system(cmd, params)" or exec() instead'
 
         def_node_matcher :literal_var?, <<-PATTERN
           (begin ...)

data/lib/rubocop/cop/eighty_four_codes/ensure_redirect.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module EightyFourCodes
+      # Checks for `redirect` from an `ensure` block.
+      # `redirect` from an ensure block is a dangerous code smell as it
+      # will take precedence over any exception being raised,
+      # and the exception will be silently thrown away as if it were rescued.
+      #
+      # If you want to rescue some (or all) exceptions, best to do it explicitly
+      #
+      # @example
+      #
+      #   # bad
+      #   def foo
+      #     do_something
+      #   ensure
+      #     cleanup
+      #     redirect "/"
+      #   end
+      #
+      #
+      #   # good
+      #   def foo
+      #     begin
+      #       do_something
+      #     rescue SomeException
+      #       # Let's ignore this exception
+      #     end
+      #     redirect "/"
+      #   ensure
+      #     cleanup
+      #   end
+      class EnsureRedirect < Base
+        MSG = 'Do not redirect from an `ensure` block.'
+
+        def on_ensure(node)
+          # `:send` nodes represent method calls, so we look for send nodes and then check if they are `redirect`
+          node.body&.each_node(:send) do |send_node|
+            # Check if the method name being called is `redirect`
+            add_offense(send_node) if send_node.method?(:redirect)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/eighty_four_codes/ruby_version_file.rb

@@ -1,48 +1,44 @@
 # frozen_string_literal: true
 
 module RuboCop
-    module Cop
-      module EightyFourCodes
-        # Read Ruby version from a .ruby-version file
-        #
-        # Instead of staticly defining the Ruby runtime version in Gemfile, load it from
-        # a .ruby-version file definition. As this Ruby version file is read by rbenv, chruby etc
-        # it's much easier for the developer to work with multiple projects with different versions.
-        #
-        # @example
-        #   # bad
-        #   ruby 2.6.6
-        #
-        #   # good
-        #   ruby File.read('.ruby-version')
-        class RubyVersionFile < Base
-          extend AutoCorrector
+  module Cop
+    module EightyFourCodes
+      # Read Ruby version from a .ruby-version file
+      #
+      # Instead of staticly defining the Ruby runtime version in Gemfile, load it from
+      # a .ruby-version file definition. As this Ruby version file is read by rbenv, chruby etc
+      # it's much easier for the developer to work with multiple projects with different versions.
+      #
+      # @example
+      #   # bad
+      #   ruby 2.6.6
+      #
+      #   # good
+      #   ruby File.read('.ruby-version')
+      class RubyVersionFile < Base
+        extend AutoCorrector
 
-          MSG = "Control Ruby version via .ruby-version, fix by replacing with File.read('.ruby-version')"
+        MSG = "Control Ruby version via .ruby-version, fix by replacing with File.read('.ruby-version')"
 
-          RESTRICT_ON_SEND = %i[ruby].freeze
+        RESTRICT_ON_SEND = %i[ruby].freeze
 
-          def_node_matcher :static_version_found?, <<~PATTERN
-            (send nil? :ruby
-              $(str _))
-          PATTERN
+        def_node_matcher :static_version_found?, <<~PATTERN
+          (send nil? :ruby
+            $(str _))
+        PATTERN
 
-          def on_send(node)
-            return unless File.basename(processed_source.file_path).eql?('Gemfile')
-            static_version_found?(node) do |source_node, source|
-              message = format(MSG, source: source)
+        def on_send(node)
+          return unless File.basename(processed_source.file_path).eql?('Gemfile')
 
-              add_offense(
-                source_node,
-                message: message
-              ) do |corrector|
-                corrector.replace(
-                  source_node, "File.read('.ruby-version')"
-                )
-              end
+          static_version_found?(node) do |source_node, source|
+            message = format(MSG, source: source)
+
+            add_offense(source_node, message: message) do |corrector|
+              corrector.replace(source_node, "File.read('.ruby-version')")
             end
           end
         end
       end
     end
   end
+end

data/lib/rubocop/cop/eightyfourcodes_cops.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require_relative 'eighty_four_codes/command_literal_injection'
+require_relative 'eighty_four_codes/ensure_redirect'
+require_relative 'eighty_four_codes/ruby_version_file'
+
+require_relative 'gitlab_security/json_serialization'
+require_relative 'gitlab_security/public_send'
+require_relative 'gitlab_security/redirect_to_params_update'
+require_relative 'gitlab_security/send_file_params'
+require_relative 'gitlab_security/sql_injection'
+require_relative 'gitlab_security/system_command_injection'

data/lib/rubocop/cop/gitlab_security/deep_munge.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for disabling the deep munge security control.
+      #
+      # Disabling this security setting can leave the application open to unsafe
+      # query generation
+      #
+      # @example
+      #
+      #   # bad
+      #   config.action_dispatch.perform_deep_munge = false
+      #
+      # See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
+      class DeepMunge < RuboCop::Cop::Base
+        MSG = 'Never disable the deep munge security option.'
+
+        # @!method disable_deep_munge?(node)
+        def_node_matcher :disable_deep_munge?, <<-PATTERN
+          (send
+            (send (send nil? :config) :action_dispatch) :perform_deep_munge=
+              { (false) (send true :!) }
+          )
+        PATTERN
+
+        def on_send(node)
+          return unless disable_deep_munge?(node)
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end