rubocop-gitlab-security 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2c65bedf0e3528bc2dc5170eb1dbf121e9c699bf
+  data.tar.gz: 83066a7d3c32e86a9fc1af8d6eb08f0419b5c445
+SHA512:
+  metadata.gz: 84d7f7cac070f0544e069c38cc78538d127f3887a34ccbded7b3110e5b63cdfcddaed5b3324f460ed792f1fea383b0126c5358517b1890cd4c21b28ce8fda177
+  data.tar.gz: 5f17b1cede77035a9baf73e8d4b38e12fa1175e810b863f9e294e1ae6837a3a3435d5766d38aafecbc1d602653c9b7cd3132446925218a8e7e9f127965ba1e84

data/MIT-LICENSE.md

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+=====================
+
+Copyright (c) 2014 Ian MacLeod <ian@nevir.net>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,96 @@
+This is an early attempt at creating Rubocop rules, similar to Rubocop-RSpec, for
+blocking dangerous code. This code is based heavily upon the [Rubocop-RSpec](https://github.com/backus/rubocop-rspec)
+code released under the MIT License.
+
+Installation is the same as with Rubocop-RSpec.
+
+Just install the `rubocop-gitlab-security` gem
+
+```bash
+gem install rubocop-gitlab-security
+```
+
+or if you use bundler put this in your `Gemfile`
+
+```
+gem 'rubocop-gitlab-security'
+```
+
+
+## Usage
+
+You need to tell RuboCop to load the Gitlab-Security extension. There are three
+ways to do this:
+
+### RuboCop configuration file
+
+Put this into your `.rubocop.yml`.
+
+```
+require: rubocop-gitlab-security
+```
+
+Now you can run `rubocop` and it will automatically load the RuboCop Gitlab-Security
+cops together with the standard cops.
+
+### Command line
+
+```bash
+rubocop --require rubocop-gitlab-security
+```
+
+### Rake task
+
+```ruby
+RuboCop::RakeTask.new do |task|
+  task.requires << 'rubocop-gitlab-security'
+end
+```
+
+## Inspecting specific files
+
+By default, `rubocop-gitlab-security` inspects all files. You can override this setting in your config file by specifying one or more patterns:
+
+```yaml
+# Inspect all files
+AllCops:
+  RSpec:
+    Patterns:
+    - '.+'
+```
+
+```yaml
+# Inspect only files ending with `_test.rb`
+AllCops:
+  RSpec:
+    Patterns:
+    - '_test.rb$'
+```
+
+## The Cops
+
+All cops are located under
+[`lib/rubocop/cop/gitlab-security`](lib/rubocop/cop/gitlab-security), and contain
+examples/documentation.
+
+In your `.rubocop.yml`, you may treat the Gitlab-Security cops just like any other
+cop. For example:
+
+```yaml
+GitlabSecurity/PublicSend:
+  Exclude:
+    - app/my_file.rb
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Merge Request
+
+## License
+
+`rubocop-gitlab-security` is MIT licensed. [See the accompanying file](MIT-LICENSE.md) for
+the full text.

data/config/default.yml

@@ -0,0 +1,10 @@
+---
+
+AllCops:
+  GitlabSecurity:
+    Patterns:
+    - '.+'
+
+GitlabSecurity/PublicSend:
+  Description: Check for use of send()/public_send()
+  Enabled: true

data/lib/rubocop-gitlab-security.rb

@@ -0,0 +1,22 @@
+require 'pathname'
+require 'yaml'
+
+require 'rubocop'
+
+require 'rubocop/gitlab-security'
+require 'rubocop/gitlab-security/version'
+require 'rubocop/gitlab-security/inject'
+require 'rubocop/gitlab-security/top_level_describe'
+require 'rubocop/gitlab-security/wording'
+require 'rubocop/gitlab-security/util'
+require 'rubocop/gitlab-security/language'
+require 'rubocop/gitlab-security/language/node_pattern'
+require 'rubocop/gitlab-security/concept'
+require 'rubocop/gitlab-security/example_group'
+require 'rubocop/gitlab-security/example'
+require 'rubocop/gitlab-security/hook'
+require 'rubocop/cop/gitlab-security/cop'
+
+RuboCop::GitlabSecurity::Inject.defaults!
+
+require 'rubocop/cop/gitlab-security/public_send'

data/lib/rubocop/cop/gitlab-security/cop.rb

@@ -0,0 +1,70 @@
+module RuboCop
+  module Cop # rubocop:disable Style/Documentation
+    WorkaroundCop2 = Cop.dup
+
+    # Clone of the the normal RuboCop::Cop::Cop class so we can rewrite
+    # the inherited method without breaking functionality
+    class WorkaroundCop2
+      # Overwrite the cop inherited method to be a noop. Our RSpec::Cop
+      # class will invoke the inherited hook instead
+      def self.inherited(*); end
+
+      # Special case `Module#<` so that the rspec support rubocop exports
+      # is compatible with our subclass
+      def self.<(other)
+        other.equal?(RuboCop::Cop::Cop) || super
+      end
+    end
+    private_constant(:WorkaroundCop2)
+
+    module GitlabSecurity
+      # @abstract parent class to rspec cops
+      #
+      # The criteria for whether rubocop-rspec analyzes a certain ruby file
+      # is configured via `AllCops/RSpec`. For example, if you want to
+      # customize your project to scan all files within a `test/` directory
+      # then you could add this to your configuration:
+      #
+      # @example configuring analyzed paths
+      #
+      #   AllCops:
+      #     RSpec:
+      #       Patterns:
+      #       - '_test.rb$'
+      #       - '(?:^|/)test/'
+      class Cop < WorkaroundCop2
+        include RuboCop::GitlabSecurity::Language
+        include RuboCop::GitlabSecurity::Language::NodePattern
+
+        DEFAULT_CONFIGURATION =
+          RuboCop::GitlabSecurity::CONFIG.fetch('AllCops').fetch('GitlabSecurity')
+
+        # Invoke the original inherited hook so our cops are recognized
+        def self.inherited(subclass)
+          RuboCop::Cop::Cop.inherited(subclass)
+        end
+
+        def relevant_file?(file)
+          relevant_rubocop_rspec_file?(file) && super
+        end
+
+        private
+
+        def relevant_rubocop_rspec_file?(file)
+          rspec_pattern =~ file
+        end
+
+        def rspec_pattern
+          Regexp.union(rspec_pattern_config.map(&Regexp.public_method(:new)))
+        end
+
+        def rspec_pattern_config
+          config
+            .for_all_cops
+            .fetch('GitlabSecurity', DEFAULT_CONFIGURATION)
+            .fetch('Patterns')
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab-security/public_send.rb

@@ -0,0 +1,14 @@
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      class PublicSend < RuboCop::Cop::Cop
+        MSG = 'Avoid using `send`'
+
+        def on_send(node)
+          return unless node.command?(:send) || node.command?(:public_send)
+          add_offense(node, :selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security.rb

@@ -0,0 +1,10 @@
+module RuboCop
+  # RuboCop RSpec project namespace
+  module GitlabSecurity
+    PROJECT_ROOT   = Pathname.new(__dir__).parent.parent.expand_path.freeze
+    CONFIG_DEFAULT = PROJECT_ROOT.join('config', 'default.yml').freeze
+    CONFIG         = YAML.safe_load(CONFIG_DEFAULT.read).freeze
+
+    private_constant(:CONFIG_DEFAULT, :PROJECT_ROOT)
+  end
+end

data/lib/rubocop/gitlab-security/concept.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # Wrapper for RSpec DSL methods
+    class Concept
+      include Language
+      include Language::NodePattern
+      extend NodePattern::Macros
+
+      def initialize(node)
+        @node = node
+      end
+
+      def eql?(other)
+        node == other.node
+      end
+
+      alias == eql?
+
+      def hash
+        [self.class, node].hash
+      end
+
+      def to_node
+        node
+      end
+
+      protected
+
+      attr_reader :node
+    end
+  end
+end

data/lib/rubocop/gitlab-security/config_formatter.rb

@@ -0,0 +1,33 @@
+require 'yaml'
+
+module RuboCop
+  module GitlabSecurity
+    # Builds a YAML config file from two config hashes
+    class ConfigFormatter
+      NAMESPACES = /^(#{Regexp.union('GitlabSecurity')})/
+
+      def initialize(config, descriptions)
+        @config       = config
+        @descriptions = descriptions
+      end
+
+      def dump
+        YAML.dump(unified_config).gsub(NAMESPACES, "\n\\1")
+      end
+
+      private
+
+      def unified_config
+        cops.each_with_object(config.dup) do |cop, unified|
+          unified[cop] = config.fetch(cop).merge(descriptions.fetch(cop))
+        end
+      end
+
+      def cops
+        (descriptions.keys | config.keys).grep(NAMESPACES)
+      end
+
+      attr_reader :config, :descriptions
+    end
+  end
+end

data/lib/rubocop/gitlab-security/description_extractor.rb

@@ -0,0 +1,72 @@
+module RuboCop
+  module GitlabSecurity
+    # Extracts cop descriptions from YARD docstrings
+    class DescriptionExtractor
+      def initialize(yardocs)
+        @code_objects = yardocs.map(&CodeObject.public_method(:new))
+      end
+
+      def to_h
+        code_objects
+          .select(&:rspec_cop?)
+          .map(&:configuration)
+          .reduce(:merge)
+      end
+
+      private
+
+      attr_reader :code_objects
+
+      # Decorator of a YARD code object for working with documented rspec cops
+      class CodeObject
+        RSPEC_NAMESPACE = 'RuboCop::Cop::GitlabSecurity'.freeze
+
+        def initialize(yardoc)
+          @yardoc = yardoc
+        end
+
+        # Test if the YARD code object documents a concrete rspec cop class
+        #
+        # @return [Boolean]
+        def rspec_cop?
+          class_documentation? && rspec_cop_namespace? && !abstract?
+        end
+
+        # Configuration for the documented cop that would live in default.yml
+        #
+        # @return [Hash]
+        def configuration
+          { cop_name => { 'Description' => description } }
+        end
+
+        private
+
+        def cop_name
+          Object.const_get(documented_constant).cop_name
+        end
+
+        def description
+          yardoc.docstring.split("\n\n").first.to_s
+        end
+
+        def class_documentation?
+          yardoc.type.equal?(:class)
+        end
+
+        def rspec_cop_namespace?
+          documented_constant.start_with?(RSPEC_NAMESPACE)
+        end
+
+        def documented_constant
+          yardoc.to_s
+        end
+
+        def abstract?
+          yardoc.tags.any? { |tag| tag.tag_name.eql?('abstract') }
+        end
+
+        attr_reader :yardoc
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/example.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # Wrapper for RSpec examples
+    class Example < Concept
+      def_node_matcher :extract_doc_string,     '(send _ _ $str ...)'
+      def_node_matcher :extract_metadata,       '(send _ _ _ $...)'
+      def_node_matcher :extract_implementation, '(block send args $_)'
+
+      def doc_string
+        extract_doc_string(definition)
+      end
+
+      def metadata
+        extract_metadata(definition)
+      end
+
+      def implementation
+        extract_implementation(node)
+      end
+
+      def definition
+        if node.send_type?
+          node
+        else
+          node.children.first
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/example_group.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # Wrapper for RSpec example groups
+    class ExampleGroup < Concept
+      # @!method scope_change?(node)
+      #
+      #   Detect if the node is an example group or shared example
+      #
+      #   Selectors which indicate that we should stop searching
+      #
+      def_node_matcher :scope_change?,
+                       (ExampleGroups::ALL + SharedGroups::ALL).block_pattern
+
+      # @!method hook(node)
+      #
+      #   Detect if node is `before`, `after`, `around`
+      def_node_matcher :hook, <<-PATTERN
+        (block {$(send nil #{Hooks::ALL.node_pattern_union} ...)} ...)
+      PATTERN
+
+      def_node_matcher :subject, Subject::ALL.block_pattern
+
+      def subjects
+        subjects_in_scope(node)
+      end
+
+      def examples
+        examples_in_scope(node).map(&Example.public_method(:new))
+      end
+
+      def hooks
+        hooks_in_scope(node).map(&Hook.public_method(:new))
+      end
+
+      private
+
+      def subjects_in_scope(node)
+        node.each_child_node.flat_map do |child|
+          find_subjects(child)
+        end
+      end
+
+      def find_subjects(node)
+        return [] if scope_change?(node)
+
+        if subject(node)
+          [node]
+        else
+          subjects_in_scope(node)
+        end
+      end
+
+      def hooks_in_scope(node)
+        node.each_child_node.flat_map do |child|
+          find_hooks(child)
+        end
+      end
+
+      def find_hooks(node)
+        return [] if scope_change?(node) || example?(node)
+
+        if hook(node)
+          [node]
+        else
+          hooks_in_scope(node)
+        end
+      end
+
+      def examples_in_scope(node, &blk)
+        node.each_child_node.flat_map do |child|
+          find_examples(child, &blk)
+        end
+      end
+
+      # Recursively search for examples within the current scope
+      #
+      # Searches node for examples and halts when a scope change is detected
+      #
+      # @param node [RuboCop::Node] node to recursively search for examples
+      #
+      # @return [Array<RuboCop::Node>] discovered example nodes
+      def find_examples(node)
+        return [] if scope_change?(node)
+
+        if example?(node)
+          [node]
+        else
+          examples_in_scope(node)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/hook.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # Wrapper for RSpec hook
+    class Hook < Concept
+      STANDARDIZED_SCOPES = %i[each context suite].freeze
+      private_constant(:STANDARDIZED_SCOPES)
+
+      def name
+        node.method_name
+      end
+
+      def knowable_scope?
+        return true unless scope_argument
+
+        scope_argument.sym_type?
+      end
+
+      def valid_scope?
+        STANDARDIZED_SCOPES.include?(scope)
+      end
+
+      def example?
+        scope.equal?(:each)
+      end
+
+      def scope
+        case scope_name
+        when nil, :each, :example then :each
+        when :context, :all       then :context
+        when :suite               then :suite
+        else
+          scope_name
+        end
+      end
+
+      private
+
+      def scope_name
+        scope_argument.to_a.first
+      end
+
+      def scope_argument
+        node.method_args.first
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/inject.rb

@@ -0,0 +1,16 @@
+module RuboCop
+  module GitlabSecurity
+    # Because RuboCop doesn't yet support plugins, we have to monkey patch in a
+    # bit of our configuration.
+    module Inject
+      def self.defaults!
+        path = CONFIG_DEFAULT.to_s
+        hash = ConfigLoader.send(:load_yaml_configuration, path)
+        config = Config.new(hash, path)
+        puts "configuration from #{path}" if ConfigLoader.debug?
+        config = ConfigLoader.merge_with_default(config, path)
+        ConfigLoader.instance_variable_set(:@default_configuration, config)
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/language.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # RSpec public API methods that are commonly used in cops
+    module Language
+      # Set of method selectors
+      class SelectorSet
+        def initialize(selectors)
+          @selectors = selectors
+        end
+
+        def ==(other)
+          selectors.eql?(other.selectors)
+        end
+
+        def +(other)
+          self.class.new(selectors + other.selectors)
+        end
+
+        def include?(selector)
+          selectors.include?(selector)
+        end
+
+        def block_pattern
+          "(block #{send_pattern} ...)"
+        end
+
+        def send_pattern
+          "(send _ #{node_pattern_union} ...)"
+        end
+
+        def node_pattern_union
+          "{#{node_pattern}}"
+        end
+
+        def node_pattern
+          selectors.map(&:inspect).join(' ')
+        end
+
+        protected
+
+        attr_reader :selectors
+      end
+
+      module Matchers
+        MESSAGE_CHAIN = SelectorSet.new(%i[receive_message_chain stub_chain])
+      end
+
+      module ExampleGroups
+        GROUPS  = SelectorSet.new(%i[describe context feature example_group])
+        SKIPPED = SelectorSet.new(%i[xdescribe xcontext xfeature])
+        FOCUSED = SelectorSet.new(%i[fdescribe fcontext ffeature])
+
+        ALL = GROUPS + SKIPPED + FOCUSED
+      end
+
+      module SharedGroups
+        EXAMPLES = SelectorSet.new(%i[shared_examples shared_examples_for])
+        CONTEXT = SelectorSet.new(%i[shared_context])
+
+        ALL = EXAMPLES + CONTEXT
+      end
+
+      module Includes
+        EXAMPLES = SelectorSet.new(
+          %i[
+            it_behaves_like
+            it_should_behave_like
+            include_examples
+          ]
+        )
+        CONTEXT = SelectorSet.new(%i[include_context])
+
+        ALL = EXAMPLES + CONTEXT
+      end
+
+      module Examples
+        EXAMPLES = SelectorSet.new(%i[it specify example scenario its])
+        FOCUSED  = SelectorSet.new(%i[fit fspecify fexample fscenario focus])
+        SKIPPED  = SelectorSet.new(%i[xit xspecify xexample xscenario skip])
+        PENDING  = SelectorSet.new(%i[pending])
+
+        ALL = EXAMPLES + FOCUSED + SKIPPED + PENDING
+      end
+
+      module Hooks
+        ALL = SelectorSet.new(
+          %i[
+            prepend_before
+            before
+            append_before
+            around
+            prepend_after
+            after
+            append_after
+          ]
+        )
+      end
+
+      module Helpers
+        ALL = SelectorSet.new(%i[let let!])
+      end
+
+      module Subject
+        ALL = SelectorSet.new(%i[subject subject!])
+      end
+
+      ALL =
+        ExampleGroups::ALL +
+        SharedGroups::ALL  +
+        Examples::ALL      +
+        Hooks::ALL         +
+        Helpers::ALL       +
+        Subject::ALL
+    end
+  end
+end

data/lib/rubocop/gitlab-security/language/node_pattern.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    module Language
+      # Common node matchers used for matching against the rspec DSL
+      module NodePattern
+        extend RuboCop::NodePattern::Macros
+
+        def_node_matcher :example_group?, ExampleGroups::ALL.block_pattern
+
+        def_node_matcher :example_group_with_body?, <<-PATTERN
+          (block #{ExampleGroups::ALL.send_pattern} args [!nil])
+        PATTERN
+
+        def_node_matcher :example?, Examples::ALL.block_pattern
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/top_level_describe.rb

@@ -0,0 +1,57 @@
+module RuboCop
+  module GitlabSecurity
+    # Helper methods for top level describe cops
+    module TopLevelDescribe
+      extend NodePattern::Macros
+
+      def_node_matcher :described_constant, <<-PATTERN
+        (block $(send _ :describe $(const ...)) (args) $_)
+      PATTERN
+
+      def on_send(node)
+        return unless respond_to?(:on_top_level_describe)
+        return unless top_level_describe?(node)
+
+        _receiver, _method_name, *args = *node
+
+        on_top_level_describe(node, args)
+      end
+
+      private
+
+      def top_level_describe?(node)
+        _receiver, method_name, *_args = *node
+        return false unless method_name == :describe
+
+        top_level_nodes.include?(node)
+      end
+
+      def top_level_nodes
+        nodes = describe_statement_children(root_node)
+        # If we have no top level describe statements, we need to check any
+        # blocks on the top level (e.g. after a require).
+        if nodes.empty?
+          nodes = root_node.each_child_node(:block).flat_map do |child|
+            describe_statement_children(child)
+          end
+        end
+
+        nodes
+      end
+
+      def root_node
+        processed_source.ast
+      end
+
+      def single_top_level_describe?
+        top_level_nodes.one?
+      end
+
+      def describe_statement_children(node)
+        node.each_child_node(:send).select do |element|
+          element.children[1] == :describe
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/util.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # Utility methods
+    module Util
+      # Error raised by `Util.one` if size is less than zero or greater than one
+      SizeError = Class.new(IndexError)
+
+      # Return only element in array if it contains exactly one member
+      def one(array)
+        return array.first if array.one?
+
+        raise SizeError,
+              "expected size to be exactly 1 but size was #{array.size}"
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/version.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # Version information for the GitlabSecurity Rubocop  plugin.
+    module Version
+      STRING = '0.0.1'.freeze
+    end
+  end
+end

data/lib/rubocop/gitlab-security/wording.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module GitlabSecurity
+    # RSpec example wording rewriter
+    class Wording
+      SHOULDNT_PREFIX    = /\Ashould(?:n't| not)\b/i
+      SHOULDNT_BE_PREFIX = /#{SHOULDNT_PREFIX} be\b/i
+      ES_SUFFIX_PATTERN  = /(?:o|s|x|ch|sh|z)\z/i
+      IES_SUFFIX_PATTERN = /[^aeou]y\z/i
+
+      def initialize(text, ignore:, replace:)
+        @text         = text
+        @ignores      = ignore
+        @replacements = replace
+      end
+
+      def rewrite
+        case text
+        when SHOULDNT_BE_PREFIX
+          replace_prefix(SHOULDNT_BE_PREFIX, 'is not')
+        when SHOULDNT_PREFIX
+          replace_prefix(SHOULDNT_PREFIX, 'does not')
+        else
+          remove_should_and_pluralize
+        end
+      end
+
+      private
+
+      attr_reader :text, :ignores, :replacements
+
+      def replace_prefix(pattern, replacement)
+        text.sub(pattern) do |shouldnt|
+          uppercase?(shouldnt) ? replacement.upcase : replacement
+        end
+      end
+
+      def uppercase?(word)
+        word.upcase.eql?(word)
+      end
+
+      def remove_should_and_pluralize
+        _should, *words = text.split
+
+        words.each_with_index do |word, index|
+          next if ignored_word?(word)
+
+          words[index] = substitute(word)
+
+          break
+        end
+
+        words.join(' ')
+      end
+
+      def ignored_word?(word)
+        ignores.any? { |ignore| ignore.casecmp(word).zero? }
+      end
+
+      def substitute(word)
+        # NOTE: Custom replacements are case sensitive.
+        return replacements.fetch(word) if replacements.key?(word)
+
+        case word
+        when ES_SUFFIX_PATTERN  then append_suffix(word, 'es')
+        when IES_SUFFIX_PATTERN then append_suffix(word[0..-2], 'ies')
+        else append_suffix(word, 's')
+        end
+      end
+
+      def append_suffix(word, suffix)
+        suffix = suffix.upcase if uppercase?(word)
+
+        "#{word}#{suffix}"
+      end
+
+      private_constant(*constants(false))
+    end
+  end
+end

data/rubocop-gitlab-security.gemspec

@@ -0,0 +1,36 @@
+# encoding: utf-8
+
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require 'rubocop/gitlab-security/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'rubocop-gitlab-security'
+  spec.summary = 'Basic security checks for projects'
+  spec.description = <<-end_description
+    Basic security checking for Ruby files.
+    A plugin for the RuboCop code style enforcing & linting tool.
+  end_description
+  spec.homepage = 'http://gitlab.com/briann/rubocop-gitlab-security'
+  spec.authors = ['Brian Neel']
+  spec.email = [
+    'brian@gitlab.com'
+  ]
+  spec.licenses = ['MIT']
+
+  spec.version = RuboCop::GitlabSecurity::Version::STRING
+  spec.platform = Gem::Platform::RUBY
+  spec.required_ruby_version = '>= 2.1.0'
+
+  spec.require_paths = ['lib']
+  spec.files = Dir[
+    '{config,lib}/**/*',
+    '*.md',
+    '*.gemspec',
+    'Gemfile'
+  ]
+  spec.extra_rdoc_files = ['MIT-LICENSE.md', 'README.md']
+
+  spec.add_runtime_dependency 'rubocop', '>= 0.49.0'
+
+  spec.add_development_dependency 'rake'
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: rubocop-gitlab-security
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Brian Neel
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-06-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.49.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.49.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: |2
+      Basic security checking for Ruby files.
+      A plugin for the RuboCop code style enforcing & linting tool.
+email:
+- brian@gitlab.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- MIT-LICENSE.md
+- README.md
+files:
+- MIT-LICENSE.md
+- README.md
+- config/default.yml
+- lib/rubocop-gitlab-security.rb
+- lib/rubocop/cop/gitlab-security/cop.rb
+- lib/rubocop/cop/gitlab-security/public_send.rb
+- lib/rubocop/gitlab-security.rb
+- lib/rubocop/gitlab-security/concept.rb
+- lib/rubocop/gitlab-security/config_formatter.rb
+- lib/rubocop/gitlab-security/description_extractor.rb
+- lib/rubocop/gitlab-security/example.rb
+- lib/rubocop/gitlab-security/example_group.rb
+- lib/rubocop/gitlab-security/hook.rb
+- lib/rubocop/gitlab-security/inject.rb
+- lib/rubocop/gitlab-security/language.rb
+- lib/rubocop/gitlab-security/language/node_pattern.rb
+- lib/rubocop/gitlab-security/top_level_describe.rb
+- lib/rubocop/gitlab-security/util.rb
+- lib/rubocop/gitlab-security/version.rb
+- lib/rubocop/gitlab-security/wording.rb
+- rubocop-gitlab-security.gemspec
+homepage: http://gitlab.com/briann/rubocop-gitlab-security
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Basic security checks for projects
+test_files: []