rubocop-eightyfourcodes 0.0.2 → 0.0.4

data/lib/rubocop/cop/gitlab_security/json_serialization.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for `to_json` / `as_json` without allowing via `only`.
+      #
+      # Either method called on an instance of a `Serializer` class will be
+      # ignored. Associations included via `include` are subject to the same
+      # rules.
+      #
+      # @example
+      #
+      #   # bad
+      #   render json: @user.to_json
+      #   render json: @user.to_json(except: %i[password])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: [:identities]
+      #   )
+      #
+      #   # acceptable
+      #   render json: UserSerializer.new.to_json
+      #
+      #   # good
+      #   render json: @user.to_json(only: %i[name username])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: { identities: { only: %i[provider] } }
+      #   )
+      #
+      # See https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
+      class JsonSerialization < RuboCop::Cop::Base
+        MSG = "Don't use `%s` without specifying `only`"
+
+        # Check for `to_json` sent to any object that's not a Hash literal or
+        # Serializer instance
+        # @!method json_serialization?(node)
+        def_node_matcher :json_serialization?, <<~PATTERN
+          (send !{nil? hash #serializer?} ${:to_json :as_json} $...)
+        PATTERN
+
+        # Check if node is a `only: ...` pair
+        # @!method only_pair?(node)
+        def_node_matcher :only_pair?, <<~PATTERN
+          (pair (sym :only) ...)
+        PATTERN
+
+        # Check if node is a `include: {...}` pair
+        # @!method include_pair?(node)
+        def_node_matcher :include_pair?, <<~PATTERN
+          (pair (sym :include) (hash $...))
+        PATTERN
+
+        # Check for a `only: [...]` pair anywhere in the node
+        # @!method contains_only?(node)
+        def_node_search :contains_only?, <<~PATTERN
+          (pair (sym :only) (array ...))
+        PATTERN
+
+        # Check for `SomeConstant.new`
+        # @!method constant_init(node)
+        def_node_search :constant_init, <<~PATTERN
+          (send (const nil? $_) :new ...)
+        PATTERN
+
+        def on_send(node)
+          matched = json_serialization?(node)
+          return unless matched
+
+          @_has_top_level_only = false
+          @method = matched.first
+
+          if matched.last.nil? || matched.last.empty?
+            @offense_found = true
+            # Empty `to_json` call
+            add_offense(node.loc.selector, message: format_message)
+          else
+            check_arguments(node, matched)
+          end
+        end
+
+        private
+
+        def format_message
+          format(MSG, @method)
+        end
+
+        def serializer?(node)
+          constant_init(node).any? { |name| name.to_s.end_with?('Serializer') }
+        end
+
+        def check_arguments(node, matched)
+          options = matched.last.first
+
+          # If `to_json` was given an argument that isn't a Hash, we don't
+          # know what to do here, so just move along
+          return unless options.hash_type?
+
+          options.each_child_node do |child_node|
+            check_pair(child_node)
+          end
+
+          return unless requires_only?
+
+          @offense_found = true
+
+          # Add a top-level offense for the entire argument list, but only if
+          # we haven't yet added any offenses to the child Hash values (such
+          # as `include`)
+          add_offense(node.children.last, message: format_message)
+        end
+
+        def check_pair(pair)
+          if only_pair?(pair)
+            @_has_top_level_only = true
+          elsif include_pair?(pair)
+            includes = pair.value
+
+            includes.each_child_node do |child_node|
+              next if contains_only?(child_node)
+
+              @offense_found = true
+              add_offense(child_node, message: format_message)
+            end
+          end
+        end
+
+        def requires_only?
+          return false if @_has_top_level_only
+
+          !@offense_found
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/public_send.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for the use of `public_send`, `send`, and `__send__` methods.
+      #
+      # If passed untrusted input these methods can be used to execute arbitrary
+      # methods on behalf of an attacker.
+      #
+      # @example
+      #
+      #   # bad
+      #   myobj.public_send("#{params[:foo]}")
+      #
+      #   # good
+      #   case params[:foo].to_s
+      #   when 'choice1'
+      #     items.choice1
+      #   when 'choice2'
+      #     items.choice2
+      #   when 'choice3'
+      #     items.choice3
+      #   end
+      class PublicSend < RuboCop::Cop::Base
+        MSG = 'Avoid using `%s`.'
+
+        RESTRICT_ON_SEND = %i[send public_send __send__].freeze
+
+        # @!method send?(node)
+        def_node_matcher :send?, <<-PATTERN
+          (call _ ${:send :public_send :__send__} ...)
+        PATTERN
+
+        def on_send(node)
+          send?(node) do |match|
+            next unless node.arguments?
+
+            add_offense(node.loc.selector, message: format(MSG, match))
+          end
+        end
+
+        alias_method :on_csend, :on_send
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of redirect_to(params.update())
+      #
+      # Passing user params to the redirect_to method provides an open redirect
+      #
+      # @example
+      #
+      #   # bad
+      #   redirect_to(params.update(action: 'main'))
+      #
+      #   # good
+      #   redirect_to(allowed(params))
+      #
+      class RedirectToParamsUpdate < RuboCop::Cop::Base
+        MSG = 'Avoid using `redirect_to(params.%<name>s(...))`. ' \
+          'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'
+
+        # @!method redirect_to_params_update_node(node)
+        def_node_matcher :redirect_to_params_update_node, <<-PATTERN
+           (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
+        PATTERN
+
+        def on_send(node)
+          selected, name = redirect_to_params_update_node(node)
+          return unless name
+
+          message = format(MSG, name: name)
+
+          add_offense(selected, message: message)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/send_file_params.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of send_file(..., params[], ...)
+      #
+      # Passing user params to the send_file() method allows directory traversal
+      #
+      # @example
+      #
+      #   # bad
+      #   send_file("/tmp/myproj/" + params[:filename])
+      #
+      #   # good (verify directory)
+
+      #   basename = File.expand_path("/tmp/myproj")
+      #   filename = File.expand_path(File.join(basename, @file.public_filename))
+      #   raise if basename != filename
+      #   send_file filename, disposition: 'inline'
+      #
+      class SendFileParams < RuboCop::Cop::Base
+        MSG = 'Do not pass user provided params directly to send_file(), ' \
+          'verify the path with file.expand_path() first.'
+
+        # @!method params_node?(node)
+        def_node_search :params_node?, <<-PATTERN
+           (send (send nil? :params) ... )
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:send_file)
+          return unless node.arguments.any? { |e| params_node?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/sql_injection.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of where("name = '#{params[:name]}'")
+      #
+      # Passing user input to where() without parameterization can result in SQL Injection
+      #
+      # @example
+      #
+      #   # bad
+      #   u = User.where("name = '#{params[:name]}'")
+      #
+      #   # good (parameters)
+      #   u = User.where("name = ? AND id = ?", params[:name], params[:id])
+      #   u = User.where(name: params[:name], id: params[:id])
+      #
+      class SqlInjection < RuboCop::Cop::Base
+        MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'
+
+        # @!method where_user_input?(node)
+        def_node_matcher :where_user_input?, <<-PATTERN
+          (send _ :where ...)
+        PATTERN
+
+        # @!method string_var_string?(node)
+        def_node_matcher :string_var_string?, <<-PATTERN
+          (dstr (str ...) (begin ...) (str ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless where_user_input?(node)
+          return unless node.arguments.any? { |e| string_var_string?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/system_command_injection.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of system("/bin/ls #{params[:file]}")
+      #
+      # Passing user input to system() without sanitization and parameterization can result in command injection
+      #
+      # @example
+      #
+      #   # bad
+      #   system("/bin/ls #{filename}")
+      #
+      #   # good (parameters)
+      #   system("/bin/ls", filename)
+      #   # even better
+      #   exec("/bin/ls", shell_escape(filename))
+      #
+      class SystemCommandInjection < RuboCop::Cop::Base
+        MSG = 'Do not include variables in the command name for system(). ' \
+          'Use parameters "system(cmd, params)" or exec() instead.'
+
+        # @!method system_var?(node)
+        def_node_matcher :system_var?, <<-PATTERN
+          (dstr (str ...) (begin ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:system)
+          return unless node.arguments.any? { |e| system_var?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/{eighty_four_codes → eightyfourcodes}/inject.rb

@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+# The original code is from https://github.com/rubocop/rubocop-rspec/blob/master/lib/rubocop/rspec/inject.rb
+# See https://github.com/rubocop/rubocop-rspec/blob/master/MIT-LICENSE.md
 module RuboCop
   module EightyFourCodes
     # Because RuboCop doesn't yet support plugins, we have to monkey patch in a
@@ -6,7 +10,7 @@ module RuboCop
       def self.defaults!
         path = CONFIG_DEFAULT.to_s
         hash = ConfigLoader.send(:load_yaml_configuration, path)
-        config = Config.new(hash, path)
+        config = Config.new(hash, path).tap(&:make_excludes_absolute)
         puts "configuration from #{path}" if ConfigLoader.debug?
         config = ConfigLoader.merge_with_default(config, path)
         ConfigLoader.instance_variable_set(:@default_configuration, config)

data/lib/rubocop/eightyfourcodes/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module EightyFourCodes
+    VERSION = '0.0.4'
+  end
+end

data/lib/rubocop/{eighty_four_codes.rb → eightyfourcodes.rb}

@@ -1,6 +1,11 @@
+# frozen_string_literal: true
+
+require_relative 'eightyfourcodes/version'
+
 module RuboCop
-  # RuboCop RSpec project namespace
+  # Namespace for EightyFourCodes cops
   module EightyFourCodes
+    class Error < StandardError; end
     PROJECT_ROOT   = Pathname.new(__dir__).parent.parent.expand_path.freeze
     CONFIG_DEFAULT = PROJECT_ROOT.join('config', 'default.yml').freeze
     CONFIG         = YAML.safe_load(CONFIG_DEFAULT.read).freeze

data/lib/rubocop-eightyfourcodes.rb

@@ -1,22 +1,11 @@
-require 'pathname'
-require 'yaml'
+# frozen_string_literal: true
 
 require 'rubocop'
 
-require 'rubocop/eighty_four_codes'
-require 'rubocop/eighty_four_codes/version'
-require 'rubocop/eighty_four_codes/inject'
-require 'rubocop/eighty_four_codes/top_level_describe'
-require 'rubocop/eighty_four_codes/wording'
-require 'rubocop/eighty_four_codes/util'
-require 'rubocop/eighty_four_codes/language'
-require 'rubocop/eighty_four_codes/language/node_pattern'
-require 'rubocop/eighty_four_codes/concept'
-require 'rubocop/eighty_four_codes/example_group'
-require 'rubocop/eighty_four_codes/example'
-require 'rubocop/eighty_four_codes/hook'
-require 'rubocop/cop/eighty_four_codes/cop'
+require_relative 'rubocop/eightyfourcodes'
+require_relative 'rubocop/eightyfourcodes/version'
+require_relative 'rubocop/eightyfourcodes/inject'
 
 RuboCop::EightyFourCodes::Inject.defaults!
 
-Dir["#{__dir__}/rubocop/cop/eighty_four_codes/**/*.rb"].each { |cop| require cop }
+require_relative 'rubocop/cop/eightyfourcodes_cops'

data/rubocop-eightyfourcodes.gemspec

@@ -1,35 +1,34 @@
-$LOAD_PATH.unshift File.expand_path('lib', __dir__)
-require 'rubocop/eighty_four_codes/version'
+# frozen_string_literal: true
+
+require_relative 'lib/rubocop/eightyfourcodes/version'
 
 Gem::Specification.new do |spec|
   spec.name = 'rubocop-eightyfourcodes'
-  spec.summary = 'Basic security checks for projects'
+  spec.version = RuboCop::EightyFourCodes::VERSION
+  spec.authors = ['Anders Bälter']
+  spec.email = ['anders@84codes.com']
+
+  spec.summary = 'This is a collection of cops developed and used by 84codes AB.'
   spec.description = <<~DESCRIPTION
-    Basic security checking for Ruby files.
     A plugin for the RuboCop code style enforcing & linting tool.
   DESCRIPTION
   spec.homepage = 'https://github.com/84codes/rubocop-eightyfourcodes/'
-  spec.authors = ['Anders Bälter', 'Brian Neel']
-  spec.email = [
-    'anders@eightyfourcodes.com',
-    'brian@gitlab.com'
-  ]
-  spec.licenses = ['MIT']
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 2.6.0'
+
+  spec.metadata = {
+    'rubygems_mfa_required' => 'true'
+  }
 
-  spec.version = RuboCop::EightyFourCodes::Version::STRING
-  spec.platform = Gem::Platform::RUBY
-  spec.required_ruby_version = '>= 2.3.0'
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|circleci)|appveyor)})
+    end
+  end
 
   spec.require_paths = ['lib']
-  spec.files = Dir[
-    '{config,lib}/**/*',
-    '*.md',
-    '*.gemspec',
-    'Gemfile'
-  ]
+  spec.add_dependency 'rubocop', '< 2'
   spec.extra_rdoc_files = ['LICENSE.md', 'README.md']
-
-  spec.add_runtime_dependency 'rubocop', '>= 0.51'
-
-  spec.add_development_dependency 'rake'
 end

data/sig/rubocop/eightyfourcodes.rbs

@@ -0,0 +1,6 @@
+module Rubocop
+  module EightyFourCodes
+    VERSION: String
+    # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+  end
+end

metadata

@@ -1,87 +1,70 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-eightyfourcodes
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.4
 platform: ruby
 authors:
 - Anders Bälter
-- Brian Neel
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-09-24 00:00:00.000000000 Z
+date: 2025-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0.51'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0.51'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description: |
-  Basic security checking for Ruby files.
-  A plugin for the RuboCop code style enforcing & linting tool.
+        version: '2'
+description: 'A plugin for the RuboCop code style enforcing & linting tool.
+
+  '
 email:
-- anders@eightyfourcodes.com
-- brian@gitlab.com
+- anders@84codes.com
 executables: []
 extensions: []
 extra_rdoc_files:
 - LICENSE.md
 - README.md
 files:
+- ".rspec"
+- ".rubocop.yml"
 - CHANGELOG.md
-- CONTRIBUTING.md
 - Gemfile
+- Gemfile.lock
 - LICENSE.md
 - README.md
+- Rakefile
 - config/default.yml
 - lib/rubocop-eightyfourcodes.rb
 - lib/rubocop/cop/eighty_four_codes/command_literal_injection.rb
-- lib/rubocop/cop/eighty_four_codes/cop.rb
+- lib/rubocop/cop/eighty_four_codes/ensure_redirect.rb
 - lib/rubocop/cop/eighty_four_codes/ruby_version_file.rb
-- lib/rubocop/cop/eighty_four_codes/shell_escape.rb
-- lib/rubocop/eighty_four_codes.rb
-- lib/rubocop/eighty_four_codes/concept.rb
-- lib/rubocop/eighty_four_codes/config_formatter.rb
-- lib/rubocop/eighty_four_codes/description_extractor.rb
-- lib/rubocop/eighty_four_codes/example.rb
-- lib/rubocop/eighty_four_codes/example_group.rb
-- lib/rubocop/eighty_four_codes/hook.rb
-- lib/rubocop/eighty_four_codes/inject.rb
-- lib/rubocop/eighty_four_codes/language.rb
-- lib/rubocop/eighty_four_codes/language/node_pattern.rb
-- lib/rubocop/eighty_four_codes/top_level_describe.rb
-- lib/rubocop/eighty_four_codes/util.rb
-- lib/rubocop/eighty_four_codes/version.rb
-- lib/rubocop/eighty_four_codes/wording.rb
+- lib/rubocop/cop/eightyfourcodes_cops.rb
+- lib/rubocop/cop/gitlab_security/deep_munge.rb
+- lib/rubocop/cop/gitlab_security/json_serialization.rb
+- lib/rubocop/cop/gitlab_security/public_send.rb
+- lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb
+- lib/rubocop/cop/gitlab_security/send_file_params.rb
+- lib/rubocop/cop/gitlab_security/sql_injection.rb
+- lib/rubocop/cop/gitlab_security/system_command_injection.rb
+- lib/rubocop/eightyfourcodes.rb
+- lib/rubocop/eightyfourcodes/inject.rb
+- lib/rubocop/eightyfourcodes/version.rb
 - rubocop-eightyfourcodes.gemspec
+- sig/rubocop/eightyfourcodes.rbs
 homepage: https://github.com/84codes/rubocop-eightyfourcodes/
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -89,15 +72,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
-summary: Basic security checks for projects
+summary: This is a collection of cops developed and used by 84codes AB.
 test_files: []

data/CONTRIBUTING.md

@@ -1,3 +0,0 @@
-# Contributing
-
-<https://docs.rubocop.org/en/latest/contributing/>