rubocop-gitlab-security 0.0.2 → 0.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/MIT-LICENSE.md +2 -2
- data/README.md +5 -5
- data/config/default.yml +6 -0
- data/lib/rubocop-gitlab-security.rb +2 -0
- data/lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb +31 -0
- data/lib/rubocop/cop/gitlab-security/send_file_params.rb +36 -0
- data/lib/rubocop/gitlab-security/version.rb +1 -1
- data/rubocop-gitlab-security.gemspec +1 -1
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 07583650e709307d9bef8cf66f06ae194d8c9016
|
|
4
|
+
data.tar.gz: 80e18df385a8682121b0bf064e827a48336bd6fe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 447ce7bd7c92f5753a682a67e15b94b869237e0da9180a2edda0a8a4da20dd6b90f1f488c9c56713ca49d99c87c5f0b7833e4043cbb2532b0a9f891683227d5b
|
|
7
|
+
data.tar.gz: 2a3f5f2f545b1ef07b044b7b1dc7e359251f9abeac925188552ab2d018fe855e809bb36ceda6c134193a1ad658058e0a5fb024e43e0520b38dd2e6ef5edd34da
|
data/MIT-LICENSE.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
The MIT License (MIT)
|
|
2
2
|
=====================
|
|
3
3
|
|
|
4
|
-
Copyright (c)
|
|
4
|
+
Copyright (c) 2017 GitLab B.V.
|
|
5
5
|
|
|
6
6
|
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
7
7
|
this software and associated documentation files (the "Software"), to deal in
|
|
@@ -19,4 +19,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
19
19
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
20
20
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
21
21
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
22
|
-
SOFTWARE.
|
|
22
|
+
SOFTWARE.
|
data/README.md
CHANGED
|
@@ -2,7 +2,7 @@ This is an early attempt at creating Rubocop rules, similar to Rubocop-RSpec, fo
|
|
|
2
2
|
blocking dangerous code. This code is based heavily upon the [Rubocop-RSpec](https://github.com/backus/rubocop-rspec)
|
|
3
3
|
code released under the MIT License.
|
|
4
4
|
|
|
5
|
-
Installation
|
|
5
|
+
## Installation
|
|
6
6
|
|
|
7
7
|
Just install the `rubocop-gitlab-security` gem
|
|
8
8
|
|
|
@@ -54,17 +54,17 @@ By default, `rubocop-gitlab-security` inspects all files. You can override this
|
|
|
54
54
|
```yaml
|
|
55
55
|
# Inspect all files
|
|
56
56
|
AllCops:
|
|
57
|
-
|
|
57
|
+
GitlabSecurity:
|
|
58
58
|
Patterns:
|
|
59
59
|
- '.+'
|
|
60
60
|
```
|
|
61
61
|
|
|
62
62
|
```yaml
|
|
63
|
-
# Inspect only files
|
|
63
|
+
# Inspect only controller files.
|
|
64
64
|
AllCops:
|
|
65
|
-
|
|
65
|
+
GitlabSecurity:
|
|
66
66
|
Patterns:
|
|
67
|
-
-
|
|
67
|
+
- app/controllers/**/*.rb
|
|
68
68
|
```
|
|
69
69
|
|
|
70
70
|
## The Cops
|
data/config/default.yml
CHANGED
|
@@ -8,3 +8,9 @@ AllCops:
|
|
|
8
8
|
GitlabSecurity/PublicSend:
|
|
9
9
|
Description: Check for use of send()/public_send()
|
|
10
10
|
Enabled: true
|
|
11
|
+
GitlabSecurity/RedirectToParamsUpdate:
|
|
12
|
+
Description: Check for use of redirect_to(params.update())
|
|
13
|
+
Enabled: true
|
|
14
|
+
GitlabSecurity/SendFileParams:
|
|
15
|
+
Description: Check for passing of params hash to send_file()
|
|
16
|
+
Enabled: true
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
module RuboCop
|
|
2
|
+
module Cop
|
|
3
|
+
module GitlabSecurity
|
|
4
|
+
# Check for use of redirect_to(params.update())
|
|
5
|
+
#
|
|
6
|
+
# Passing user params to the redirect_to method provides an open redirect
|
|
7
|
+
#
|
|
8
|
+
# @example
|
|
9
|
+
#
|
|
10
|
+
# # bad
|
|
11
|
+
# redirect_to(params.update(action:'main'))
|
|
12
|
+
#
|
|
13
|
+
# # good
|
|
14
|
+
# redirect_to(whitelist(params))
|
|
15
|
+
#
|
|
16
|
+
class RedirectToParamsUpdate < RuboCop::Cop::Cop
|
|
17
|
+
MSG = 'Avoid using redirect_to(params.update()). Only pass whitelisted arguments into redirect_to() (e.g. not including `host`)'
|
|
18
|
+
|
|
19
|
+
def_node_matcher :redirect_to_params_update_node, <<-PATTERN
|
|
20
|
+
(send nil :redirect_to (send (send nil :params) ${:update :merge} ...))
|
|
21
|
+
PATTERN
|
|
22
|
+
|
|
23
|
+
def on_send(node)
|
|
24
|
+
return unless redirect_to_params_update_node(node)
|
|
25
|
+
|
|
26
|
+
add_offense(node, :selector)
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
module RuboCop
|
|
2
|
+
module Cop
|
|
3
|
+
module GitlabSecurity
|
|
4
|
+
# Check for use of send_file(..., params[], ...)
|
|
5
|
+
#
|
|
6
|
+
# Passing user params to the send_file() method allows directory traversal
|
|
7
|
+
#
|
|
8
|
+
# @example
|
|
9
|
+
#
|
|
10
|
+
# # bad
|
|
11
|
+
# send_file("/tmp/myproj/" + params[:filename])
|
|
12
|
+
#
|
|
13
|
+
# # good (verify directory)
|
|
14
|
+
|
|
15
|
+
# basename = File.expand_path("/tmp/myproj")
|
|
16
|
+
# filename = File.expand_path(File.join(basename, @file.public_filename))
|
|
17
|
+
# raise if basename != filename
|
|
18
|
+
# send_file filename, disposition: 'inline'
|
|
19
|
+
#
|
|
20
|
+
class SendFileParams < RuboCop::Cop::Cop
|
|
21
|
+
MSG = 'Do not pass user provided params directly to send_file(), verify the path with file.expand_path() first.'
|
|
22
|
+
|
|
23
|
+
def_node_search :params_node?, <<-PATTERN
|
|
24
|
+
(send (send nil :params) ... )
|
|
25
|
+
PATTERN
|
|
26
|
+
|
|
27
|
+
def on_send(node)
|
|
28
|
+
return unless node.command?(:send_file)
|
|
29
|
+
return unless node.method_args.any? { |e| params_node?(e) }
|
|
30
|
+
|
|
31
|
+
add_offense(node, :selector)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
|
|
|
10
10
|
Basic security checking for Ruby files.
|
|
11
11
|
A plugin for the RuboCop code style enforcing & linting tool.
|
|
12
12
|
end_description
|
|
13
|
-
spec.homepage = '
|
|
13
|
+
spec.homepage = 'https://gitlab.com/gitlab-org/rubocop-gitlab-security'
|
|
14
14
|
spec.authors = ['Brian Neel']
|
|
15
15
|
spec.email = [
|
|
16
16
|
'brian@gitlab.com'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rubocop-gitlab-security
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Brian Neel
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-06-
|
|
11
|
+
date: 2017-06-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rubocop
|
|
@@ -55,6 +55,8 @@ files:
|
|
|
55
55
|
- lib/rubocop-gitlab-security.rb
|
|
56
56
|
- lib/rubocop/cop/gitlab-security/cop.rb
|
|
57
57
|
- lib/rubocop/cop/gitlab-security/public_send.rb
|
|
58
|
+
- lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb
|
|
59
|
+
- lib/rubocop/cop/gitlab-security/send_file_params.rb
|
|
58
60
|
- lib/rubocop/gitlab-security.rb
|
|
59
61
|
- lib/rubocop/gitlab-security/concept.rb
|
|
60
62
|
- lib/rubocop/gitlab-security/config_formatter.rb
|
|
@@ -70,7 +72,7 @@ files:
|
|
|
70
72
|
- lib/rubocop/gitlab-security/version.rb
|
|
71
73
|
- lib/rubocop/gitlab-security/wording.rb
|
|
72
74
|
- rubocop-gitlab-security.gemspec
|
|
73
|
-
homepage:
|
|
75
|
+
homepage: https://gitlab.com/gitlab-org/rubocop-gitlab-security
|
|
74
76
|
licenses:
|
|
75
77
|
- MIT
|
|
76
78
|
metadata: {}
|