rubocop-gitlab-security 0.0.2 → 0.0.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/MIT-LICENSE.md +2 -2
- data/README.md +5 -5
- data/config/default.yml +6 -0
- data/lib/rubocop-gitlab-security.rb +2 -0
- data/lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb +31 -0
- data/lib/rubocop/cop/gitlab-security/send_file_params.rb +36 -0
- data/lib/rubocop/gitlab-security/version.rb +1 -1
- data/rubocop-gitlab-security.gemspec +1 -1
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 07583650e709307d9bef8cf66f06ae194d8c9016
|
|
4
|
+
data.tar.gz: 80e18df385a8682121b0bf064e827a48336bd6fe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 447ce7bd7c92f5753a682a67e15b94b869237e0da9180a2edda0a8a4da20dd6b90f1f488c9c56713ca49d99c87c5f0b7833e4043cbb2532b0a9f891683227d5b
|
|
7
|
+
data.tar.gz: 2a3f5f2f545b1ef07b044b7b1dc7e359251f9abeac925188552ab2d018fe855e809bb36ceda6c134193a1ad658058e0a5fb024e43e0520b38dd2e6ef5edd34da
|
data/MIT-LICENSE.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
The MIT License (MIT)
|
|
2
2
|
=====================
|
|
3
3
|
|
|
4
|
-
Copyright (c)
|
|
4
|
+
Copyright (c) 2017 GitLab B.V.
|
|
5
5
|
|
|
6
6
|
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
|
7
7
|
this software and associated documentation files (the "Software"), to deal in
|
|
@@ -19,4 +19,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
19
19
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
20
20
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
21
21
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
22
|
-
SOFTWARE.
|
|
22
|
+
SOFTWARE.
|
data/README.md
CHANGED
|
@@ -2,7 +2,7 @@ This is an early attempt at creating Rubocop rules, similar to Rubocop-RSpec, fo
|
|
|
2
2
|
blocking dangerous code. This code is based heavily upon the [Rubocop-RSpec](https://github.com/backus/rubocop-rspec)
|
|
3
3
|
code released under the MIT License.
|
|
4
4
|
|
|
5
|
-
Installation
|
|
5
|
+
## Installation
|
|
6
6
|
|
|
7
7
|
Just install the `rubocop-gitlab-security` gem
|
|
8
8
|
|
|
@@ -54,17 +54,17 @@ By default, `rubocop-gitlab-security` inspects all files. You can override this
|
|
|
54
54
|
```yaml
|
|
55
55
|
# Inspect all files
|
|
56
56
|
AllCops:
|
|
57
|
-
|
|
57
|
+
GitlabSecurity:
|
|
58
58
|
Patterns:
|
|
59
59
|
- '.+'
|
|
60
60
|
```
|
|
61
61
|
|
|
62
62
|
```yaml
|
|
63
|
-
# Inspect only files
|
|
63
|
+
# Inspect only controller files.
|
|
64
64
|
AllCops:
|
|
65
|
-
|
|
65
|
+
GitlabSecurity:
|
|
66
66
|
Patterns:
|
|
67
|
-
-
|
|
67
|
+
- app/controllers/**/*.rb
|
|
68
68
|
```
|
|
69
69
|
|
|
70
70
|
## The Cops
|
data/config/default.yml
CHANGED
|
@@ -8,3 +8,9 @@ AllCops:
|
|
|
8
8
|
GitlabSecurity/PublicSend:
|
|
9
9
|
Description: Check for use of send()/public_send()
|
|
10
10
|
Enabled: true
|
|
11
|
+
GitlabSecurity/RedirectToParamsUpdate:
|
|
12
|
+
Description: Check for use of redirect_to(params.update())
|
|
13
|
+
Enabled: true
|
|
14
|
+
GitlabSecurity/SendFileParams:
|
|
15
|
+
Description: Check for passing of params hash to send_file()
|
|
16
|
+
Enabled: true
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
module RuboCop
|
|
2
|
+
module Cop
|
|
3
|
+
module GitlabSecurity
|
|
4
|
+
# Check for use of redirect_to(params.update())
|
|
5
|
+
#
|
|
6
|
+
# Passing user params to the redirect_to method provides an open redirect
|
|
7
|
+
#
|
|
8
|
+
# @example
|
|
9
|
+
#
|
|
10
|
+
# # bad
|
|
11
|
+
# redirect_to(params.update(action:'main'))
|
|
12
|
+
#
|
|
13
|
+
# # good
|
|
14
|
+
# redirect_to(whitelist(params))
|
|
15
|
+
#
|
|
16
|
+
class RedirectToParamsUpdate < RuboCop::Cop::Cop
|
|
17
|
+
MSG = 'Avoid using redirect_to(params.update()). Only pass whitelisted arguments into redirect_to() (e.g. not including `host`)'
|
|
18
|
+
|
|
19
|
+
def_node_matcher :redirect_to_params_update_node, <<-PATTERN
|
|
20
|
+
(send nil :redirect_to (send (send nil :params) ${:update :merge} ...))
|
|
21
|
+
PATTERN
|
|
22
|
+
|
|
23
|
+
def on_send(node)
|
|
24
|
+
return unless redirect_to_params_update_node(node)
|
|
25
|
+
|
|
26
|
+
add_offense(node, :selector)
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
module RuboCop
|
|
2
|
+
module Cop
|
|
3
|
+
module GitlabSecurity
|
|
4
|
+
# Check for use of send_file(..., params[], ...)
|
|
5
|
+
#
|
|
6
|
+
# Passing user params to the send_file() method allows directory traversal
|
|
7
|
+
#
|
|
8
|
+
# @example
|
|
9
|
+
#
|
|
10
|
+
# # bad
|
|
11
|
+
# send_file("/tmp/myproj/" + params[:filename])
|
|
12
|
+
#
|
|
13
|
+
# # good (verify directory)
|
|
14
|
+
|
|
15
|
+
# basename = File.expand_path("/tmp/myproj")
|
|
16
|
+
# filename = File.expand_path(File.join(basename, @file.public_filename))
|
|
17
|
+
# raise if basename != filename
|
|
18
|
+
# send_file filename, disposition: 'inline'
|
|
19
|
+
#
|
|
20
|
+
class SendFileParams < RuboCop::Cop::Cop
|
|
21
|
+
MSG = 'Do not pass user provided params directly to send_file(), verify the path with file.expand_path() first.'
|
|
22
|
+
|
|
23
|
+
def_node_search :params_node?, <<-PATTERN
|
|
24
|
+
(send (send nil :params) ... )
|
|
25
|
+
PATTERN
|
|
26
|
+
|
|
27
|
+
def on_send(node)
|
|
28
|
+
return unless node.command?(:send_file)
|
|
29
|
+
return unless node.method_args.any? { |e| params_node?(e) }
|
|
30
|
+
|
|
31
|
+
add_offense(node, :selector)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
|
|
|
10
10
|
Basic security checking for Ruby files.
|
|
11
11
|
A plugin for the RuboCop code style enforcing & linting tool.
|
|
12
12
|
end_description
|
|
13
|
-
spec.homepage = '
|
|
13
|
+
spec.homepage = 'https://gitlab.com/gitlab-org/rubocop-gitlab-security'
|
|
14
14
|
spec.authors = ['Brian Neel']
|
|
15
15
|
spec.email = [
|
|
16
16
|
'brian@gitlab.com'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rubocop-gitlab-security
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Brian Neel
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-06-
|
|
11
|
+
date: 2017-06-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rubocop
|
|
@@ -55,6 +55,8 @@ files:
|
|
|
55
55
|
- lib/rubocop-gitlab-security.rb
|
|
56
56
|
- lib/rubocop/cop/gitlab-security/cop.rb
|
|
57
57
|
- lib/rubocop/cop/gitlab-security/public_send.rb
|
|
58
|
+
- lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb
|
|
59
|
+
- lib/rubocop/cop/gitlab-security/send_file_params.rb
|
|
58
60
|
- lib/rubocop/gitlab-security.rb
|
|
59
61
|
- lib/rubocop/gitlab-security/concept.rb
|
|
60
62
|
- lib/rubocop/gitlab-security/config_formatter.rb
|
|
@@ -70,7 +72,7 @@ files:
|
|
|
70
72
|
- lib/rubocop/gitlab-security/version.rb
|
|
71
73
|
- lib/rubocop/gitlab-security/wording.rb
|
|
72
74
|
- rubocop-gitlab-security.gemspec
|
|
73
|
-
homepage:
|
|
75
|
+
homepage: https://gitlab.com/gitlab-org/rubocop-gitlab-security
|
|
74
76
|
licenses:
|
|
75
77
|
- MIT
|
|
76
78
|
metadata: {}
|