rubocop-gitlab-security 0.0.4 → 0.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 07583650e709307d9bef8cf66f06ae194d8c9016
-  data.tar.gz: 80e18df385a8682121b0bf064e827a48336bd6fe
+  metadata.gz: 2e1fe57d15469d24c90209220a37540eb886cdd7
+  data.tar.gz: 5731689f88cac6519849b5c4d077705f6e814786
 SHA512:
-  metadata.gz: 447ce7bd7c92f5753a682a67e15b94b869237e0da9180a2edda0a8a4da20dd6b90f1f488c9c56713ca49d99c87c5f0b7833e4043cbb2532b0a9f891683227d5b
-  data.tar.gz: 2a3f5f2f545b1ef07b044b7b1dc7e359251f9abeac925188552ab2d018fe855e809bb36ceda6c134193a1ad658058e0a5fb024e43e0520b38dd2e6ef5edd34da
+  metadata.gz: 0495dbd2a6a58e6287f254bd94902d41ce7ec9464ef3544b9fe10cc681508278c0bc37a6d042cebb88cfcae551ff1c074f8d76c814ce47b8325ab5ace6387fdb
+  data.tar.gz: 7d9034db66ba383b9f4858954922ab80c897f4092985da4a74784775aa35ef5c0def2313a0f0f6381af3c5d1e87b6d5bcf8a67538a31617c182ad39aecab4ca3

data/config/default.yml

@@ -5,6 +5,9 @@ AllCops:
     Patterns:
     - '.+'
 
+GitlabSecurity/DeepMunge:
+  Description: Disallow removal of Deep Munge setting
+  Enabled: true
 GitlabSecurity/PublicSend:
   Description: Check for use of send()/public_send()
   Enabled: true
@@ -14,3 +17,9 @@ GitlabSecurity/RedirectToParamsUpdate:
 GitlabSecurity/SendFileParams:
   Description: Check for passing of params hash to send_file()
   Enabled: true
+GitlabSecurity/SqlInjection:
+  Description: Check for SQL Injection in where()
+  Enabled: true
+GitlabSecurity/SystemCommandInjection:
+  Description: Check for Command Injection in System()
+  Enabled: true

data/lib/rubocop-gitlab-security.rb

@@ -19,6 +19,9 @@ require 'rubocop/cop/gitlab-security/cop'
 
 RuboCop::GitlabSecurity::Inject.defaults!
 
+require 'rubocop/cop/gitlab-security/deep_munge'
 require 'rubocop/cop/gitlab-security/public_send'
 require 'rubocop/cop/gitlab-security/redirect_to_params_update'
 require 'rubocop/cop/gitlab-security/send_file_params'
+require 'rubocop/cop/gitlab-security/sql_injection'
+require 'rubocop/cop/gitlab-security/system_command_injection'

data/lib/rubocop/cop/gitlab-security/deep_munge.rb

@@ -0,0 +1,29 @@
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for disabling the deep munge security control via:
+      # config.action_dispatch.perform_deep_munge = false
+      #
+      # Disabling this security setting can leave the application open to unsafe query generation
+      # 
+      # @example
+      #
+      #   # bad
+      #   config.action_dispatch.perform_deep_munge = false
+      # 
+      class DeepMunge < RuboCop::Cop::Cop
+        MSG = 'Never disable the deep munge security option. See CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155' 
+   
+        def_node_matcher :disable_deep_munge?, <<-PATTERN
+          (send (send (send nil :config) :action_dispatch) :perform_deep_munge= (false))
+        PATTERN
+
+        def on_send(node)
+          return unless disable_deep_munge?(node)
+
+          add_offense(node, :selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab-security/sql_injection.rb

@@ -0,0 +1,37 @@
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of where("name = '#{params[:name]}'")
+      #
+      # Passing user input to where() without parameterization can result in SQL Injection
+      # 
+      # @example
+      #
+      #   # bad
+      #   u = User.where("name = '#{params[:name]}'")
+      # 
+      #   # good (parameters)
+      #   u = User.where("name = ? AND id = ?", params[:name], params[:id])
+      #   u = User.where(name: params[:name], id: params[:id])
+      #
+      class SqlInjection < RuboCop::Cop::Cop
+        MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries'
+   
+        def_node_matcher :where_user_input?, <<-PATTERN
+          (send _ :where ...)
+        PATTERN
+
+        def_node_matcher :string_var_string?, <<-PATTERN
+          (dstr (str ...) (begin ...) (str ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless where_user_input?(node)
+          return unless node.method_args.any? { |e| string_var_string?(e) }
+
+          add_offense(node, :selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab-security/system_command_injection.rb

@@ -0,0 +1,34 @@
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Check for use of system("/bin/ls #{params[:file]}")
+      #
+      # Passing user input to system() without sanitization and parameterization can result in command injection
+      # 
+      # @example
+      #
+      #   # bad
+      #   system("/bin/ls #{filename}")
+      # 
+      #   # good (parameters)
+      #   system("/bin/ls", filename)
+      #   # even better
+      #   exec("/bin/ls", shell_escape(filename))
+      #
+      class SystemCommandInjection < RuboCop::Cop::Cop
+        MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.'
+   
+        def_node_matcher :system_var?, <<-PATTERN
+          (dstr (str ...) (begin ...) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless node.command?(:system)
+          return unless node.method_args.any? { |e| system_var?(e) }
+
+          add_offense(node, :selector)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/gitlab-security/version.rb

@@ -4,7 +4,7 @@ module RuboCop
   module GitlabSecurity
     # Version information for the GitlabSecurity Rubocop  plugin.
     module Version
-      STRING = '0.0.4'.freeze
+      STRING = '0.0.5'.freeze
     end
   end
 end

data/rubocop-gitlab-security.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
     Basic security checking for Ruby files.
     A plugin for the RuboCop code style enforcing & linting tool.
   end_description
-  spec.homepage = 'https://gitlab.com/gitlab-org/rubocop-gitlab-security'
+  spec.homepage = 'http://gitlab.com/briann/rubocop-gitlab-security'
   spec.authors = ['Brian Neel']
   spec.email = [
     'brian@gitlab.com'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-gitlab-security
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Brian Neel
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-06-29 00:00:00.000000000 Z
+date: 2017-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -54,9 +54,12 @@ files:
 - config/default.yml
 - lib/rubocop-gitlab-security.rb
 - lib/rubocop/cop/gitlab-security/cop.rb
+- lib/rubocop/cop/gitlab-security/deep_munge.rb
 - lib/rubocop/cop/gitlab-security/public_send.rb
 - lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb
 - lib/rubocop/cop/gitlab-security/send_file_params.rb
+- lib/rubocop/cop/gitlab-security/sql_injection.rb
+- lib/rubocop/cop/gitlab-security/system_command_injection.rb
 - lib/rubocop/gitlab-security.rb
 - lib/rubocop/gitlab-security/concept.rb
 - lib/rubocop/gitlab-security/config_formatter.rb
@@ -72,7 +75,7 @@ files:
 - lib/rubocop/gitlab-security/version.rb
 - lib/rubocop/gitlab-security/wording.rb
 - rubocop-gitlab-security.gemspec
-homepage: https://gitlab.com/gitlab-org/rubocop-gitlab-security
+homepage: http://gitlab.com/briann/rubocop-gitlab-security
 licenses:
 - MIT
 metadata: {}