rubocop-gitlab-security 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 07583650e709307d9bef8cf66f06ae194d8c9016
4
- data.tar.gz: 80e18df385a8682121b0bf064e827a48336bd6fe
3
+ metadata.gz: 2e1fe57d15469d24c90209220a37540eb886cdd7
4
+ data.tar.gz: 5731689f88cac6519849b5c4d077705f6e814786
5
5
  SHA512:
6
- metadata.gz: 447ce7bd7c92f5753a682a67e15b94b869237e0da9180a2edda0a8a4da20dd6b90f1f488c9c56713ca49d99c87c5f0b7833e4043cbb2532b0a9f891683227d5b
7
- data.tar.gz: 2a3f5f2f545b1ef07b044b7b1dc7e359251f9abeac925188552ab2d018fe855e809bb36ceda6c134193a1ad658058e0a5fb024e43e0520b38dd2e6ef5edd34da
6
+ metadata.gz: 0495dbd2a6a58e6287f254bd94902d41ce7ec9464ef3544b9fe10cc681508278c0bc37a6d042cebb88cfcae551ff1c074f8d76c814ce47b8325ab5ace6387fdb
7
+ data.tar.gz: 7d9034db66ba383b9f4858954922ab80c897f4092985da4a74784775aa35ef5c0def2313a0f0f6381af3c5d1e87b6d5bcf8a67538a31617c182ad39aecab4ca3
data/config/default.yml CHANGED
@@ -5,6 +5,9 @@ AllCops:
5
5
  Patterns:
6
6
  - '.+'
7
7
 
8
+ GitlabSecurity/DeepMunge:
9
+ Description: Disallow removal of Deep Munge setting
10
+ Enabled: true
8
11
  GitlabSecurity/PublicSend:
9
12
  Description: Check for use of send()/public_send()
10
13
  Enabled: true
@@ -14,3 +17,9 @@ GitlabSecurity/RedirectToParamsUpdate:
14
17
  GitlabSecurity/SendFileParams:
15
18
  Description: Check for passing of params hash to send_file()
16
19
  Enabled: true
20
+ GitlabSecurity/SqlInjection:
21
+ Description: Check for SQL Injection in where()
22
+ Enabled: true
23
+ GitlabSecurity/SystemCommandInjection:
24
+ Description: Check for Command Injection in System()
25
+ Enabled: true
@@ -19,6 +19,9 @@ require 'rubocop/cop/gitlab-security/cop'
19
19
 
20
20
  RuboCop::GitlabSecurity::Inject.defaults!
21
21
 
22
+ require 'rubocop/cop/gitlab-security/deep_munge'
22
23
  require 'rubocop/cop/gitlab-security/public_send'
23
24
  require 'rubocop/cop/gitlab-security/redirect_to_params_update'
24
25
  require 'rubocop/cop/gitlab-security/send_file_params'
26
+ require 'rubocop/cop/gitlab-security/sql_injection'
27
+ require 'rubocop/cop/gitlab-security/system_command_injection'
@@ -0,0 +1,29 @@
1
+ module RuboCop
2
+ module Cop
3
+ module GitlabSecurity
4
+ # Check for disabling the deep munge security control via:
5
+ # config.action_dispatch.perform_deep_munge = false
6
+ #
7
+ # Disabling this security setting can leave the application open to unsafe query generation
8
+ #
9
+ # @example
10
+ #
11
+ # # bad
12
+ # config.action_dispatch.perform_deep_munge = false
13
+ #
14
+ class DeepMunge < RuboCop::Cop::Cop
15
+ MSG = 'Never disable the deep munge security option. See CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155'
16
+
17
+ def_node_matcher :disable_deep_munge?, <<-PATTERN
18
+ (send (send (send nil :config) :action_dispatch) :perform_deep_munge= (false))
19
+ PATTERN
20
+
21
+ def on_send(node)
22
+ return unless disable_deep_munge?(node)
23
+
24
+ add_offense(node, :selector)
25
+ end
26
+ end
27
+ end
28
+ end
29
+ end
@@ -0,0 +1,37 @@
1
+ module RuboCop
2
+ module Cop
3
+ module GitlabSecurity
4
+ # Check for use of where("name = '#{params[:name]}'")
5
+ #
6
+ # Passing user input to where() without parameterization can result in SQL Injection
7
+ #
8
+ # @example
9
+ #
10
+ # # bad
11
+ # u = User.where("name = '#{params[:name]}'")
12
+ #
13
+ # # good (parameters)
14
+ # u = User.where("name = ? AND id = ?", params[:name], params[:id])
15
+ # u = User.where(name: params[:name], id: params[:id])
16
+ #
17
+ class SqlInjection < RuboCop::Cop::Cop
18
+ MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries'
19
+
20
+ def_node_matcher :where_user_input?, <<-PATTERN
21
+ (send _ :where ...)
22
+ PATTERN
23
+
24
+ def_node_matcher :string_var_string?, <<-PATTERN
25
+ (dstr (str ...) (begin ...) (str ...) ...)
26
+ PATTERN
27
+
28
+ def on_send(node)
29
+ return unless where_user_input?(node)
30
+ return unless node.method_args.any? { |e| string_var_string?(e) }
31
+
32
+ add_offense(node, :selector)
33
+ end
34
+ end
35
+ end
36
+ end
37
+ end
@@ -0,0 +1,34 @@
1
+ module RuboCop
2
+ module Cop
3
+ module GitlabSecurity
4
+ # Check for use of system("/bin/ls #{params[:file]}")
5
+ #
6
+ # Passing user input to system() without sanitization and parameterization can result in command injection
7
+ #
8
+ # @example
9
+ #
10
+ # # bad
11
+ # system("/bin/ls #{filename}")
12
+ #
13
+ # # good (parameters)
14
+ # system("/bin/ls", filename)
15
+ # # even better
16
+ # exec("/bin/ls", shell_escape(filename))
17
+ #
18
+ class SystemCommandInjection < RuboCop::Cop::Cop
19
+ MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.'
20
+
21
+ def_node_matcher :system_var?, <<-PATTERN
22
+ (dstr (str ...) (begin ...) ...)
23
+ PATTERN
24
+
25
+ def on_send(node)
26
+ return unless node.command?(:system)
27
+ return unless node.method_args.any? { |e| system_var?(e) }
28
+
29
+ add_offense(node, :selector)
30
+ end
31
+ end
32
+ end
33
+ end
34
+ end
@@ -4,7 +4,7 @@ module RuboCop
4
4
  module GitlabSecurity
5
5
  # Version information for the GitlabSecurity Rubocop plugin.
6
6
  module Version
7
- STRING = '0.0.4'.freeze
7
+ STRING = '0.0.5'.freeze
8
8
  end
9
9
  end
10
10
  end
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
10
10
  Basic security checking for Ruby files.
11
11
  A plugin for the RuboCop code style enforcing & linting tool.
12
12
  end_description
13
- spec.homepage = 'https://gitlab.com/gitlab-org/rubocop-gitlab-security'
13
+ spec.homepage = 'http://gitlab.com/briann/rubocop-gitlab-security'
14
14
  spec.authors = ['Brian Neel']
15
15
  spec.email = [
16
16
  'brian@gitlab.com'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubocop-gitlab-security
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.4
4
+ version: 0.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Brian Neel
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-29 00:00:00.000000000 Z
11
+ date: 2017-07-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rubocop
@@ -54,9 +54,12 @@ files:
54
54
  - config/default.yml
55
55
  - lib/rubocop-gitlab-security.rb
56
56
  - lib/rubocop/cop/gitlab-security/cop.rb
57
+ - lib/rubocop/cop/gitlab-security/deep_munge.rb
57
58
  - lib/rubocop/cop/gitlab-security/public_send.rb
58
59
  - lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb
59
60
  - lib/rubocop/cop/gitlab-security/send_file_params.rb
61
+ - lib/rubocop/cop/gitlab-security/sql_injection.rb
62
+ - lib/rubocop/cop/gitlab-security/system_command_injection.rb
60
63
  - lib/rubocop/gitlab-security.rb
61
64
  - lib/rubocop/gitlab-security/concept.rb
62
65
  - lib/rubocop/gitlab-security/config_formatter.rb
@@ -72,7 +75,7 @@ files:
72
75
  - lib/rubocop/gitlab-security/version.rb
73
76
  - lib/rubocop/gitlab-security/wording.rb
74
77
  - rubocop-gitlab-security.gemspec
75
- homepage: https://gitlab.com/gitlab-org/rubocop-gitlab-security
78
+ homepage: http://gitlab.com/briann/rubocop-gitlab-security
76
79
  licenses:
77
80
  - MIT
78
81
  metadata: {}