rubocop-eightyfourcodes 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 19712be6c6408b1056c9c1c664e27d6663fc10a9722e3e185f730241817a25d4
-  data.tar.gz: a85bd64721dbe996d990ec7315da27f0ac6bf7dc7bd92a0ced8db3b6d916ccdd
+  metadata.gz: a2337a72314ad6423017df81a2dcf8f83013dc6e873fd69b5125378182721640
+  data.tar.gz: b32af92eabaeea8c0d9d87f65bfdcbc7143dfe57721a389ad1c883f287134559
 SHA512:
-  metadata.gz: 42b8a8f7ee06570552cabf4a2172956124ab78ce6f3a1ead118485f490f550a56389966e8c4ce1692b42cc974d0312186caae7384f14e7c96e62e527e816e9ec
-  data.tar.gz: d731529270d4e2ba9601e11baaf9f957e15be5971f8f9128a02eb52a5f2e171ea33158eefeb917207dc243d55ea0acae2149ffb1b9d5691832b1a81590be9b72
+  metadata.gz: af6326b9251b078270670d986af36041e0af768bb69d29ba9e960f0663dc420444e333057b886714c4184ac1201624d2ab0cd34f5b1425860f70c9e0b666c747
+  data.tar.gz: 84565456b4a0c98c085ec35f86da4bd4765a399b822068d6a51df0129ab786dc0ba97a147e221b187a48b3690bb130cc77592b035c447f6da92aaf8e48c50efc

data/.rubocop.yml

@@ -1,7 +1,14 @@
-require:
+plugins:
   - rubocop-rspec
   - rubocop-rake
 
+AllCops:
+  NewCops: enable
+  Exclude:
+    - 'lib/rubocop/cop/gitlab_security/*.rb'
+    - 'spec/rubocop/cop/gitlab_security/*.rb'
+    # avoid linting installed gems when running in GitHub Actions
+    - '**/vendor/bundle/**/*' 
 Naming/FileName:
   Exclude:
     - lib/rubocop-eightyfourcodes.rb

data/Gemfile.lock

@@ -1,29 +1,30 @@
 PATH
   remote: .
   specs:
-    rubocop-eightyfourcodes (0.0.3)
-      rubocop
+    rubocop-eightyfourcodes (0.0.4)
+      rubocop (< 2)
 
 GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.2)
-    diff-lcs (1.5.1)
-    json (2.7.2)
-    language_server-protocol (3.17.0.3)
+    diff-lcs (1.6.0)
+    json (2.10.2)
+    language_server-protocol (3.17.0.4)
+    lint_roller (1.1.0)
     parallel (1.26.3)
-    parser (3.3.5.0)
+    parser (3.3.7.1)
       ast (~> 2.4.1)
       racc
     racc (1.8.1)
     rainbow (3.1.1)
     rake (13.2.1)
-    regexp_parser (2.9.2)
+    regexp_parser (2.10.0)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.2)
+    rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
@@ -31,28 +32,34 @@ GEM
     rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.1)
-    rubocop (1.67.0)
+    rspec-support (3.13.2)
+    rubocop (1.74.0)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.4, < 3.0)
-      rubocop-ast (>= 1.32.2, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.32.3)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.40.0)
       parser (>= 3.3.1.0)
-    rubocop-rake (0.6.0)
-      rubocop (~> 1.0)
-    rubocop-rspec (3.1.0)
-      rubocop (~> 1.61)
+    rubocop-rake (0.7.1)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1)
+    rubocop-rspec (3.5.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
     ruby-progressbar (1.13.0)
-    unicode-display_width (2.6.0)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
     yard (0.9.37)
 
 PLATFORMS
+  arm64-darwin-23
   ruby
 
 DEPENDENCIES
@@ -65,4 +72,4 @@ DEPENDENCIES
   yard
 
 BUNDLED WITH
-   2.5.22
+   2.6.4

data/config/default.yml

@@ -1,5 +1,4 @@
-# Write it!
-
+---
 EightyFourCodes/CommandLiteralInjection:
   Description: "Do not include variables command literals"
   Enabled: true
@@ -12,3 +11,33 @@ EightyFourCodes/EnsureRedirect:
   Description: "Checks for `redirect` from an `ensure` block"
   Enabled: true
   VersionAdded: "0.0.3"
+GitlabSecurity/DeepMunge:
+  Description: "Checks for disabling the deep munge security control."
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/JsonSerialization:
+  Description: "Checks for `to_json` / `as_json` without allowing via `only`."
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/PublicSend:
+  Description: "Checks for the use of `public_send`, `send`, and `__send__` methods."
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/RedirectToParamsUpdate:
+  Description: "Check for use of redirect_to(params.update())"
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/SendFileParams:
+  Description: "Check for use of send_file(..., params[], ...)"
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/SqlInjection:
+  Description: |
+    Check for use of where("name = '#{params[:name]}'")"
+  Enabled: true
+  VersionAdded: "0.0.4"
+GitlabSecurity/SystemCommandInjection:
+  Description: |
+    Check for use of system("/bin/ls #{params[:file]}")
+  Enabled: true
+  VersionAdded: "0.0.4"

data/lib/rubocop/cop/eightyfourcodes_cops.rb

@@ -3,3 +3,10 @@
 require_relative 'eighty_four_codes/command_literal_injection'
 require_relative 'eighty_four_codes/ensure_redirect'
 require_relative 'eighty_four_codes/ruby_version_file'
+
+require_relative 'gitlab_security/json_serialization'
+require_relative 'gitlab_security/public_send'
+require_relative 'gitlab_security/redirect_to_params_update'
+require_relative 'gitlab_security/send_file_params'
+require_relative 'gitlab_security/sql_injection'
+require_relative 'gitlab_security/system_command_injection'

data/lib/rubocop/cop/gitlab_security/deep_munge.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for disabling the deep munge security control.
+      #
+      # Disabling this security setting can leave the application open to unsafe
+      # query generation
+      #
+      # @example
+      #
+      #   # bad
+      #   config.action_dispatch.perform_deep_munge = false
+      #
+      # See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
+      class DeepMunge < RuboCop::Cop::Base
+        MSG = 'Never disable the deep munge security option.'
+
+        # @!method disable_deep_munge?(node)
+        def_node_matcher :disable_deep_munge?, <<-PATTERN
+          (send
+            (send (send nil? :config) :action_dispatch) :perform_deep_munge=
+              { (false) (send true :!) }
+          )
+        PATTERN
+
+        def on_send(node)
+          return unless disable_deep_munge?(node)
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/json_serialization.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for `to_json` / `as_json` without allowing via `only`.
+      #
+      # Either method called on an instance of a `Serializer` class will be
+      # ignored. Associations included via `include` are subject to the same
+      # rules.
+      #
+      # @example
+      #
+      #   # bad
+      #   render json: @user.to_json
+      #   render json: @user.to_json(except: %i[password])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: [:identities]
+      #   )
+      #
+      #   # acceptable
+      #   render json: UserSerializer.new.to_json
+      #
+      #   # good
+      #   render json: @user.to_json(only: %i[name username])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: { identities: { only: %i[provider] } }
+      #   )
+      #
+      # See https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
+      class JsonSerialization < RuboCop::Cop::Base
+        MSG = "Don't use `%s` without specifying `only`"
+
+        # Check for `to_json` sent to any object that's not a Hash literal or
+        # Serializer instance
+        # @!method json_serialization?(node)
+        def_node_matcher :json_serialization?, <<~PATTERN
+          (send !{nil? hash #serializer?} ${:to_json :as_json} $...)
+        PATTERN
+
+        # Check if node is a `only: ...` pair
+        # @!method only_pair?(node)
+        def_node_matcher :only_pair?, <<~PATTERN
+          (pair (sym :only) ...)
+        PATTERN
+
+        # Check if node is a `include: {...}` pair
+        # @!method include_pair?(node)
+        def_node_matcher :include_pair?, <<~PATTERN
+          (pair (sym :include) (hash $...))
+        PATTERN
+
+        # Check for a `only: [...]` pair anywhere in the node
+        # @!method contains_only?(node)
+        def_node_search :contains_only?, <<~PATTERN
+          (pair (sym :only) (array ...))
+        PATTERN
+
+        # Check for `SomeConstant.new`
+        # @!method constant_init(node)
+        def_node_search :constant_init, <<~PATTERN
+          (send (const nil? $_) :new ...)
+        PATTERN
+
+        def on_send(node)
+          matched = json_serialization?(node)
+          return unless matched
+
+          @_has_top_level_only = false
+          @method = matched.first
+
+          if matched.last.nil? || matched.last.empty?
+            @offense_found = true
+            # Empty `to_json` call
+            add_offense(node.loc.selector, message: format_message)
+          else
+            check_arguments(node, matched)
+          end
+        end
+
+        private
+
+        def format_message
+          format(MSG, @method)
+        end
+
+        def serializer?(node)
+          constant_init(node).any? { |name| name.to_s.end_with?('Serializer') }
+        end
+
+        def check_arguments(node, matched)
+          options = matched.last.first
+
+          # If `to_json` was given an argument that isn't a Hash, we don't
+          # know what to do here, so just move along
+          return unless options.hash_type?
+
+          options.each_child_node do |child_node|
+            check_pair(child_node)
+          end
+
+          return unless requires_only?
+
+          @offense_found = true
+
+          # Add a top-level offense for the entire argument list, but only if
+          # we haven't yet added any offenses to the child Hash values (such
+          # as `include`)
+          add_offense(node.children.last, message: format_message)
+        end
+
+        def check_pair(pair)
+          if only_pair?(pair)
+            @_has_top_level_only = true
+          elsif include_pair?(pair)
+            includes = pair.value
+
+            includes.each_child_node do |child_node|
+              next if contains_only?(child_node)
+
+              @offense_found = true
+              add_offense(child_node, message: format_message)
+            end
+          end
+        end
+
+        def requires_only?
+          return false if @_has_top_level_only
+
+          !@offense_found
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/public_send.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for the use of `public_send`, `send`, and `__send__` methods.
+      #
+      # If passed untrusted input these methods can be used to execute arbitrary
+      # methods on behalf of an attacker.
+      #
+      # @example
+      #
+      #   # bad
+      #   myobj.public_send("#{params[:foo]}")
+      #
+      #   # good
+      #   case params[:foo].to_s
+      #   when 'choice1'
+      #     items.choice1
+      #   when 'choice2'
+      #     items.choice2
+      #   when 'choice3'
+      #     items.choice3
+      #   end
+      class PublicSend < RuboCop::Cop::Base
+        MSG = 'Avoid using `%s`.'
+
+        RESTRICT_ON_SEND = %i[send public_send __send__].freeze
+
+        # @!method send?(node)
+        def_node_matcher :send?, <<-PATTERN
+          (call _ ${:send :public_send :__send__} ...)
+        PATTERN
+
+        def on_send(node)
+          send?(node) do |match|
+            next unless node.arguments?
+
+            add_offense(node.loc.selector, message: format(MSG, match))
+          end
+        end
+
+        alias_method :on_csend, :on_send
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of redirect_to(params.update())
+      #
+      # Passing user params to the redirect_to method provides an open redirect
+      #
+      # @example
+      #
+      #   # bad
+      #   redirect_to(params.update(action: 'main'))
+      #
+      #   # good
+      #   redirect_to(allowed(params))
+      #
+      class RedirectToParamsUpdate < RuboCop::Cop::Base
+        MSG = 'Avoid using `redirect_to(params.%<name>s(...))`. ' \
+          'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'
+
+        # @!method redirect_to_params_update_node(node)
+        def_node_matcher :redirect_to_params_update_node, <<-PATTERN
+           (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
+        PATTERN
+
+        def on_send(node)
+          selected, name = redirect_to_params_update_node(node)
+          return unless name
+
+          message = format(MSG, name: name)
+
+          add_offense(selected, message: message)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/send_file_params.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of send_file(..., params[], ...)
+      #
+      # Passing user params to the send_file() method allows directory traversal
+      #
+      # @example
+      #
+      #   # bad
+      #   send_file("/tmp/myproj/" + params[:filename])
+      #
+      #   # good (verify directory)
+
+      #   basename = File.expand_path("/tmp/myproj")
+      #   filename = File.expand_path(File.join(basename, @file.public_filename))
+      #   raise if basename != filename
+      #   send_file filename, disposition: 'inline'
+      #
+      class SendFileParams < RuboCop::Cop::Base
+        MSG = 'Do not pass user provided params directly to send_file(), ' \
+          'verify the path with file.expand_path() first.'
+
+        # @!method params_node?(node)
+        def_node_search :params_node?, <<-PATTERN
+           (send (send nil? :params) ... )
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:send_file)
+          return unless node.arguments.any? { |e| params_node?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/sql_injection.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of where("name = '#{params[:name]}'")
+      #
+      # Passing user input to where() without parameterization can result in SQL Injection
+      #
+      # @example
+      #
+      #   # bad
+      #   u = User.where("name = '#{params[:name]}'")
+      #
+      #   # good (parameters)
+      #   u = User.where("name = ? AND id = ?", params[:name], params[:id])
+      #   u = User.where(name: params[:name], id: params[:id])
+      #
+      class SqlInjection < RuboCop::Cop::Base
+        MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.'
+
+        # @!method where_user_input?(node)
+        def_node_matcher :where_user_input?, <<-PATTERN
+          (send _ :where ...)
+        PATTERN
+
+        # @!method string_var_string?(node)
+        def_node_matcher :string_var_string?, <<-PATTERN
+          (dstr (str ...) (begin ...) (str ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless where_user_input?(node)
+          return unless node.arguments.any? { |e| string_var_string?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab_security/system_command_injection.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of system("/bin/ls #{params[:file]}")
+      #
+      # Passing user input to system() without sanitization and parameterization can result in command injection
+      #
+      # @example
+      #
+      #   # bad
+      #   system("/bin/ls #{filename}")
+      #
+      #   # good (parameters)
+      #   system("/bin/ls", filename)
+      #   # even better
+      #   exec("/bin/ls", shell_escape(filename))
+      #
+      class SystemCommandInjection < RuboCop::Cop::Base
+        MSG = 'Do not include variables in the command name for system(). ' \
+          'Use parameters "system(cmd, params)" or exec() instead.'
+
+        # @!method system_var?(node)
+        def_node_matcher :system_var?, <<-PATTERN
+          (dstr (str ...) (begin ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:system)
+          return unless node.arguments.any? { |e| system_var?(e) }
+
+          add_offense(node.loc.selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/eightyfourcodes/version.rb

@@ -2,6 +2,6 @@
 
 module RuboCop
   module EightyFourCodes
-    VERSION = '0.0.3'
+    VERSION = '0.0.4'
   end
 end

data/rubocop-eightyfourcodes.gemspec

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require_relative 'lib/rubocop/eightyfourcodes/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'rubocop-eightyfourcodes'
+  spec.version = RuboCop::EightyFourCodes::VERSION
+  spec.authors = ['Anders Bälter']
+  spec.email = ['anders@84codes.com']
+
+  spec.summary = 'This is a collection of cops developed and used by 84codes AB.'
+  spec.description = <<~DESCRIPTION
+    A plugin for the RuboCop code style enforcing & linting tool.
+  DESCRIPTION
+  spec.homepage = 'https://github.com/84codes/rubocop-eightyfourcodes/'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 2.6.0'
+
+  spec.metadata = {
+    'rubygems_mfa_required' => 'true'
+  }
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (File.expand_path(f) == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|circleci)|appveyor)})
+    end
+  end
+
+  spec.require_paths = ['lib']
+  spec.add_dependency 'rubocop', '< 2'
+  spec.extra_rdoc_files = ['LICENSE.md', 'README.md']
+end

metadata

@@ -1,29 +1,28 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-eightyfourcodes
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Anders Bälter
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-23 00:00:00.000000000 Z
+date: 2025-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
 description: 'A plugin for the RuboCop code style enforcing & linting tool.
 
   '
@@ -49,15 +48,23 @@ files:
 - lib/rubocop/cop/eighty_four_codes/ensure_redirect.rb
 - lib/rubocop/cop/eighty_four_codes/ruby_version_file.rb
 - lib/rubocop/cop/eightyfourcodes_cops.rb
+- lib/rubocop/cop/gitlab_security/deep_munge.rb
+- lib/rubocop/cop/gitlab_security/json_serialization.rb
+- lib/rubocop/cop/gitlab_security/public_send.rb
+- lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb
+- lib/rubocop/cop/gitlab_security/send_file_params.rb
+- lib/rubocop/cop/gitlab_security/sql_injection.rb
+- lib/rubocop/cop/gitlab_security/system_command_injection.rb
 - lib/rubocop/eightyfourcodes.rb
 - lib/rubocop/eightyfourcodes/inject.rb
 - lib/rubocop/eightyfourcodes/version.rb
+- rubocop-eightyfourcodes.gemspec
 - sig/rubocop/eightyfourcodes.rbs
 homepage: https://github.com/84codes/rubocop-eightyfourcodes/
 licenses:
 - MIT
-metadata: {}
-post_install_message:
+metadata:
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -72,8 +79,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: This is a collection of cops developed and used by 84codes AB.
 test_files: []