rubocop-github 0.13.0 → 0.16.2

data/config/rails_deprecated.yml

@@ -0,0 +1,7 @@
+inherit_from: _rails_shared.yml
+
+Rails:
+  Enabled: true
+
+Rails/FindEach:
+  Enabled: false

data/config/rails_edge.yml

@@ -0,0 +1,4 @@
+inherit_from: _rails_shared.yml
+
+require:
+  - rubocop-rails

data/lib/rubocop/cop/github.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "rubocop/cop/github/insecure_hash_algorithm"
 require "rubocop/cop/github/rails_application_record"
 require "rubocop/cop/github/rails_controller_render_action_symbol"
 require "rubocop/cop/github/rails_controller_render_literal"

data/lib/rubocop/cop/github/insecure_hash_algorithm.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+require "rubocop"
+
+module RuboCop
+  module Cop
+    module GitHub
+      class InsecureHashAlgorithm < Cop
+        MSG = "This hash function is not allowed"
+        UUID_V3_MSG = "uuid_v3 uses MD5, which is not allowed"
+        UUID_V5_MSG = "uuid_v5 uses SHA1, which is not allowed"
+
+        # Matches constants like these:
+        #   Digest::MD5
+        #   OpenSSL::Digest::MD5
+        def_node_matcher :insecure_const?, <<-PATTERN
+          (const (const _ :Digest) #insecure_algorithm?)
+        PATTERN
+
+        # Matches calls like these:
+        #   Digest.new('md5')
+        #   Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest.new('md5')
+        #   OpenSSL::Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest::Digest.new('md5')
+        #   OpenSSL::Digest::Digest.hexdigest('md5', 'str')
+        #   OpenSSL::Digest::Digest.new(:MD5)
+        #   OpenSSL::Digest::Digest.hexdigest(:MD5, 'str')
+        def_node_matcher :insecure_digest?, <<-PATTERN
+          (send
+            (const _ {:Digest :HMAC})
+            #not_just_encoding?
+            #insecure_algorithm?
+            ...)
+        PATTERN
+
+        # Matches calls like "Digest(:MD5)".
+        def_node_matcher :insecure_hash_lookup?, <<-PATTERN
+          (send _ :Digest #insecure_algorithm?)
+        PATTERN
+
+        # Matches calls like "OpenSSL::HMAC.new(secret, hash)"
+        def_node_matcher :openssl_hmac_new?, <<-PATTERN
+          (send (const (const _ :OpenSSL) :HMAC) :new ...)
+        PATTERN
+
+        # Matches calls like "OpenSSL::HMAC.new(secret, 'sha1')"
+        def_node_matcher :openssl_hmac_new_insecure?, <<-PATTERN
+          (send (const (const _ :OpenSSL) :HMAC) :new _ #insecure_algorithm?)
+        PATTERN
+
+        # Matches Rails's Digest::UUID.
+        def_node_matcher :digest_uuid?, <<-PATTERN
+          (const (const _ :Digest) :UUID)
+        PATTERN
+
+        def_node_matcher :uuid_v3?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v3 ...)
+        PATTERN
+
+        def_node_matcher :uuid_v5?, <<-PATTERN
+          (send (const _ :UUID) :uuid_v5 ...)
+        PATTERN
+
+        def insecure_algorithm?(val)
+          return false if val == :Digest # Don't match "Digest::Digest".
+          case alg_name(val)
+          when *allowed_hash_functions
+            false
+          when Symbol
+            # can't figure this one out, it's nil or a var or const.
+            false
+          else
+            true
+          end
+        end
+
+        def not_just_encoding?(val)
+          !just_encoding?(val)
+        end
+
+        def just_encoding?(val)
+          val == :hexencode || val == :bubblebabble
+        end
+
+        # Built-in hash functions are listed in these docs:
+        #  https://ruby-doc.org/stdlib-2.7.0/libdoc/digest/rdoc/Digest.html
+        #  https://ruby-doc.org/stdlib-2.7.0/libdoc/openssl/rdoc/OpenSSL/Digest.html
+        DEFAULT_ALLOWED = %w[
+          SHA256
+          SHA384
+          SHA512
+        ].freeze
+
+        def allowed_hash_functions
+          @allowed_algorithms ||= cop_config.fetch("Allowed", DEFAULT_ALLOWED).map(&:downcase)
+        end
+
+        def alg_name(val)
+          return :nil if val.nil?
+          return val.to_s.downcase unless val.is_a?(RuboCop::AST::Node)
+          case val.type
+          when :sym, :str
+            val.children.first.to_s.downcase
+          else
+            val.type
+          end
+        end
+
+        def on_const(const_node)
+          if insecure_const?(const_node) && !digest_uuid?(const_node)
+            add_offense(const_node, message: MSG)
+          end
+        end
+
+        def on_send(send_node)
+          case
+          when uuid_v3?(send_node)
+            unless allowed_hash_functions.include?("md5")
+              add_offense(send_node, message: UUID_V3_MSG)
+            end
+          when uuid_v5?(send_node)
+            unless allowed_hash_functions.include?("sha1")
+              add_offense(send_node, message: UUID_V5_MSG)
+            end
+          when openssl_hmac_new?(send_node)
+            if openssl_hmac_new_insecure?(send_node)
+              add_offense(send_node, message: MSG)
+            end
+          when insecure_digest?(send_node)
+            add_offense(send_node, message: MSG)
+          when insecure_hash_lookup?(send_node)
+            add_offense(send_node, message: MSG)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/github/rails_controller_render_action_symbol.rb

@@ -9,11 +9,11 @@ module RuboCop
         MSG = "Prefer `render` with string instead of symbol"
 
         def_node_matcher :render_sym?, <<-PATTERN
-          (send nil? :render $(sym _))
+          (send nil? {:render :render_to_string} $(sym _))
         PATTERN
 
         def_node_matcher :render_with_options?, <<-PATTERN
-          (send nil? :render (hash $...))
+          (send nil? {:render :render_to_string} (hash $...))
         PATTERN
 
         def_node_matcher :action_key?, <<-PATTERN

data/lib/rubocop/cop/github/rails_controller_render_literal.rb

@@ -1,32 +1,15 @@
 # frozen_string_literal: true
 
 require "rubocop"
+require "rubocop/cop/github/render_literal_helpers"
 
 module RuboCop
   module Cop
     module GitHub
       class RailsControllerRenderLiteral < Cop
-        MSG = "render must be used with a string literal"
+        include RenderLiteralHelpers
 
-        def_node_matcher :literal?, <<-PATTERN
-          ({str sym true false nil?} ...)
-        PATTERN
-
-        def_node_matcher :render?, <<-PATTERN
-          (send nil? :render ...)
-        PATTERN
-
-        def_node_matcher :render_literal?, <<-PATTERN
-          (send nil? :render ({str sym} $_) $...)
-        PATTERN
-
-        def_node_matcher :render_const?, <<-PATTERN
-          (send nil? :render (const _ _) ...)
-        PATTERN
-
-        def_node_matcher :render_with_options?, <<-PATTERN
-          (send nil? :render (hash $...))
-        PATTERN
+        MSG = "render must be used with a string literal or an instance of a Class"
 
         def_node_matcher :ignore_key?, <<-PATTERN
           (pair (sym {
@@ -64,10 +47,16 @@ module RuboCop
           }) ...)
         PATTERN
 
+        def_node_matcher :render_const?, <<-PATTERN
+          (send nil? {:render :render_to_string} (const _ _) ...)
+        PATTERN
+
         def on_send(node)
           return unless render?(node)
 
-          if render_literal?(node) || render_const?(node)
+          return if render_view_component?(node) || render_const?(node)
+
+          if render_literal?(node)
           elsif option_pairs = render_with_options?(node)
             option_pairs = option_pairs.reject { |pair| options_key?(pair) }
 
@@ -78,18 +67,40 @@ module RuboCop
             if template_node = option_pairs.map { |pair| template_key?(pair) }.compact.first
               if !literal?(template_node)
                 add_offense(node, location: :expression)
+                return
               end
             else
               add_offense(node, location: :expression)
+              return
             end
 
             if layout_node = option_pairs.map { |pair| layout_key?(pair) }.compact.first
               if !literal?(layout_node)
                 add_offense(node, location: :expression)
+                return
               end
             end
           else
             add_offense(node, location: :expression)
+            return
+          end
+
+          if render_literal?(node)
+            option_hash = node.arguments[1]
+            if option_hash && !option_hash.hash_type?
+              add_offense(node, location: :expression)
+              return
+            end
+            option_pairs = option_hash && option_hash.pairs
+          else
+            option_pairs = node.arguments[0].pairs
+          end
+
+          if option_pairs
+            locals = option_pairs.map { |pair| locals_key?(pair) }.compact.first
+            if locals && (!locals.hash_type? || !hash_with_literal_keys?(locals))
+              add_offense(node, location: :expression)
+            end
           end
         end
       end

data/lib/rubocop/cop/github/rails_controller_render_paths_exist.rb

@@ -7,15 +7,15 @@ module RuboCop
     module GitHub
       class RailsControllerRenderPathsExist < Cop
         def_node_matcher :render?, <<-PATTERN
-          (send nil? :render $...)
+          (send nil? {:render :render_to_string} $...)
         PATTERN
 
         def_node_matcher :render_str?, <<-PATTERN
-          (send nil? :render $({str sym} $_) ...)
+          (send nil? {:render :render_to_string} $({str sym} $_) ...)
         PATTERN
 
         def_node_matcher :render_options?, <<-PATTERN
-          (send nil? :render (hash $...))
+          (send nil? {:render :render_to_string} (hash $...))
         PATTERN
 
         def_node_matcher :render_key?, <<-PATTERN

data/lib/rubocop/cop/github/rails_controller_render_shorthand.rb

@@ -9,7 +9,7 @@ module RuboCop
         MSG = "Prefer `render` template shorthand"
 
         def_node_matcher :render_with_options?, <<-PATTERN
-          (send nil? :render (hash $...))
+          (send nil? {:render :render_to_string} (hash $...))
         PATTERN
 
         def_node_matcher :action_key?, <<-PATTERN

data/lib/rubocop/cop/github/rails_render_inline.rb

@@ -9,7 +9,7 @@ module RuboCop
         MSG = "Avoid `render inline:`"
 
         def_node_matcher :render_with_options?, <<-PATTERN
-          (send nil? :render (hash $...))
+          (send nil? {:render :render_to_string} (hash $...))
         PATTERN
 
         def_node_matcher :inline_key?, <<-PATTERN

data/lib/rubocop/cop/github/rails_render_object_collection.rb

@@ -9,7 +9,7 @@ module RuboCop
         MSG = "Avoid `render object:`"
 
         def_node_matcher :render_with_options?, <<-PATTERN
-          (send nil? :render (hash $...) ...)
+          (send nil? {:render :render_to_string} (hash $...) ...)
         PATTERN
 
         def_node_matcher :partial_key?, <<-PATTERN

data/lib/rubocop/cop/github/rails_view_render_literal.rb

@@ -1,32 +1,15 @@
 # frozen_string_literal: true
 
 require "rubocop"
+require "rubocop/cop/github/render_literal_helpers"
 
 module RuboCop
   module Cop
     module GitHub
       class RailsViewRenderLiteral < Cop
-        MSG = "render must be used with a string literal"
+        include RenderLiteralHelpers
 
-        def_node_matcher :literal?, <<-PATTERN
-          ({str sym true false nil?} ...)
-        PATTERN
-
-        def_node_matcher :render?, <<-PATTERN
-          (send nil? :render $...)
-        PATTERN
-
-        def_node_matcher :render_literal?, <<-PATTERN
-          (send nil? :render ({str sym} $_) $...)
-        PATTERN
-
-        def_node_matcher :render_const?, <<-PATTERN
-          (send nil? :render (const _ _) ...)
-        PATTERN
-
-        def_node_matcher :render_with_options?, <<-PATTERN
-          (send nil? :render (hash $...) ...)
-        PATTERN
+        MSG = "render must be used with a literal template and use literals for locals keys"
 
         def_node_matcher :ignore_key?, <<-PATTERN
           (pair (sym {
@@ -46,7 +29,10 @@ module RuboCop
         def on_send(node)
           return unless render?(node)
 
-          if render_literal?(node) || render_const?(node)
+          # Ignore "component"-style renders
+          return if render_view_component?(node)
+
+          if render_literal?(node)
           elsif option_pairs = render_with_options?(node)
             if option_pairs.any? { |pair| ignore_key?(pair) }
               return
@@ -55,12 +41,31 @@ module RuboCop
             if partial_node = option_pairs.map { |pair| partial_key?(pair) }.compact.first
               if !literal?(partial_node)
                 add_offense(node, location: :expression)
+                return
               end
             else
               add_offense(node, location: :expression)
+              return
             end
           else
             add_offense(node, location: :expression)
+            return
+          end
+
+          if render_literal?(node) && node.arguments.count > 1
+            locals = node.arguments[1]
+          elsif options_pairs = render_with_options?(node)
+            locals = option_pairs.map { |pair| locals_key?(pair) }.compact.first
+          end
+
+          if locals
+            if locals.hash_type?
+              if !hash_with_literal_keys?(locals)
+                add_offense(node, location: :expression)
+              end
+            else
+              add_offense(node, location: :expression)
+            end
           end
         end
       end

data/lib/rubocop/cop/github/rails_view_render_paths_exist.rb

@@ -7,15 +7,15 @@ module RuboCop
     module GitHub
       class RailsViewRenderPathsExist < Cop
         def_node_matcher :render?, <<-PATTERN
-          (send nil? :render $...)
+          (send nil? {:render :render_to_string} $...)
         PATTERN
 
         def_node_matcher :render_str?, <<-PATTERN
-          (send nil? :render $(str $_) ...)
+          (send nil? {:render :render_to_string} $(str $_) ...)
         PATTERN
 
         def_node_matcher :render_options?, <<-PATTERN
-          (send nil? :render (hash $...))
+          (send nil? {:render :render_to_string} (hash $...))
         PATTERN
 
         def_node_matcher :partial_key?, <<-PATTERN

data/lib/rubocop/cop/github/rails_view_render_shorthand.rb

@@ -9,7 +9,7 @@ module RuboCop
         MSG = "Prefer `render` partial shorthand"
 
         def_node_matcher :render_with_options?, <<-PATTERN
-          (send nil? :render (hash $...))
+          (send nil? {:render :render_to_string} (hash $...))
         PATTERN
 
         def_node_matcher :partial_key?, <<-PATTERN

data/lib/rubocop/cop/github/render_literal_helpers.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+#
+require "rubocop"
+
+module RuboCop
+  module Cop
+    module GitHub
+      module RenderLiteralHelpers
+        extend NodePattern::Macros
+
+        def_node_matcher :literal?, <<-PATTERN
+          ({str sym true false nil?} ...)
+        PATTERN
+
+        def_node_matcher :render?, <<-PATTERN
+          (send nil? {:render :render_to_string} ...)
+        PATTERN
+
+        def_node_matcher :render_literal?, <<-PATTERN
+          (send nil? {:render :render_to_string} ({str sym} $_) $...)
+        PATTERN
+
+        def_node_matcher :render_with_options?, <<-PATTERN
+          (send nil? {:render :render_to_string} (hash $...) ...)
+        PATTERN
+
+        def_node_matcher :render_view_component_instance?, <<-PATTERN
+          (send nil? {:render :render_to_string} (send _ :new ...) ...)
+        PATTERN
+
+        def_node_matcher :render_view_component_instance_with_content?, <<-PATTERN
+          (send nil? {:render :render_to_string} (send (send _ :new ...) `:with_content ...))
+        PATTERN
+
+        def_node_matcher :render_view_component_collection?, <<-PATTERN
+          (send nil? {:render :render_to_string} (send _ :with_collection ...) ...)
+        PATTERN
+
+        def_node_matcher :locals_key?, <<-PATTERN
+          (pair (sym :locals) $_)
+        PATTERN
+
+        def hash_with_literal_keys?(hash)
+          hash.pairs.all? { |pair| literal?(pair.key) }
+        end
+
+        def render_view_component?(node)
+          render_view_component_instance_with_content?(node) ||
+            render_view_component_instance?(node) ||
+            render_view_component_collection?(node)
+        end
+      end
+    end
+  end
+end