rubocop-gitlab-security 0.0.4 → 0.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/config/default.yml +9 -0
- data/lib/rubocop-gitlab-security.rb +3 -0
- data/lib/rubocop/cop/gitlab-security/deep_munge.rb +29 -0
- data/lib/rubocop/cop/gitlab-security/sql_injection.rb +37 -0
- data/lib/rubocop/cop/gitlab-security/system_command_injection.rb +34 -0
- data/lib/rubocop/gitlab-security/version.rb +1 -1
- data/rubocop-gitlab-security.gemspec +1 -1
- metadata +6 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2e1fe57d15469d24c90209220a37540eb886cdd7
|
4
|
+
data.tar.gz: 5731689f88cac6519849b5c4d077705f6e814786
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0495dbd2a6a58e6287f254bd94902d41ce7ec9464ef3544b9fe10cc681508278c0bc37a6d042cebb88cfcae551ff1c074f8d76c814ce47b8325ab5ace6387fdb
|
7
|
+
data.tar.gz: 7d9034db66ba383b9f4858954922ab80c897f4092985da4a74784775aa35ef5c0def2313a0f0f6381af3c5d1e87b6d5bcf8a67538a31617c182ad39aecab4ca3
|
data/config/default.yml
CHANGED
@@ -5,6 +5,9 @@ AllCops:
|
|
5
5
|
Patterns:
|
6
6
|
- '.+'
|
7
7
|
|
8
|
+
GitlabSecurity/DeepMunge:
|
9
|
+
Description: Disallow removal of Deep Munge setting
|
10
|
+
Enabled: true
|
8
11
|
GitlabSecurity/PublicSend:
|
9
12
|
Description: Check for use of send()/public_send()
|
10
13
|
Enabled: true
|
@@ -14,3 +17,9 @@ GitlabSecurity/RedirectToParamsUpdate:
|
|
14
17
|
GitlabSecurity/SendFileParams:
|
15
18
|
Description: Check for passing of params hash to send_file()
|
16
19
|
Enabled: true
|
20
|
+
GitlabSecurity/SqlInjection:
|
21
|
+
Description: Check for SQL Injection in where()
|
22
|
+
Enabled: true
|
23
|
+
GitlabSecurity/SystemCommandInjection:
|
24
|
+
Description: Check for Command Injection in System()
|
25
|
+
Enabled: true
|
@@ -19,6 +19,9 @@ require 'rubocop/cop/gitlab-security/cop'
|
|
19
19
|
|
20
20
|
RuboCop::GitlabSecurity::Inject.defaults!
|
21
21
|
|
22
|
+
require 'rubocop/cop/gitlab-security/deep_munge'
|
22
23
|
require 'rubocop/cop/gitlab-security/public_send'
|
23
24
|
require 'rubocop/cop/gitlab-security/redirect_to_params_update'
|
24
25
|
require 'rubocop/cop/gitlab-security/send_file_params'
|
26
|
+
require 'rubocop/cop/gitlab-security/sql_injection'
|
27
|
+
require 'rubocop/cop/gitlab-security/system_command_injection'
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module RuboCop
|
2
|
+
module Cop
|
3
|
+
module GitlabSecurity
|
4
|
+
# Check for disabling the deep munge security control via:
|
5
|
+
# config.action_dispatch.perform_deep_munge = false
|
6
|
+
#
|
7
|
+
# Disabling this security setting can leave the application open to unsafe query generation
|
8
|
+
#
|
9
|
+
# @example
|
10
|
+
#
|
11
|
+
# # bad
|
12
|
+
# config.action_dispatch.perform_deep_munge = false
|
13
|
+
#
|
14
|
+
class DeepMunge < RuboCop::Cop::Cop
|
15
|
+
MSG = 'Never disable the deep munge security option. See CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155'
|
16
|
+
|
17
|
+
def_node_matcher :disable_deep_munge?, <<-PATTERN
|
18
|
+
(send (send (send nil :config) :action_dispatch) :perform_deep_munge= (false))
|
19
|
+
PATTERN
|
20
|
+
|
21
|
+
def on_send(node)
|
22
|
+
return unless disable_deep_munge?(node)
|
23
|
+
|
24
|
+
add_offense(node, :selector)
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,37 @@
|
|
1
|
+
module RuboCop
|
2
|
+
module Cop
|
3
|
+
module GitlabSecurity
|
4
|
+
# Check for use of where("name = '#{params[:name]}'")
|
5
|
+
#
|
6
|
+
# Passing user input to where() without parameterization can result in SQL Injection
|
7
|
+
#
|
8
|
+
# @example
|
9
|
+
#
|
10
|
+
# # bad
|
11
|
+
# u = User.where("name = '#{params[:name]}'")
|
12
|
+
#
|
13
|
+
# # good (parameters)
|
14
|
+
# u = User.where("name = ? AND id = ?", params[:name], params[:id])
|
15
|
+
# u = User.where(name: params[:name], id: params[:id])
|
16
|
+
#
|
17
|
+
class SqlInjection < RuboCop::Cop::Cop
|
18
|
+
MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries'
|
19
|
+
|
20
|
+
def_node_matcher :where_user_input?, <<-PATTERN
|
21
|
+
(send _ :where ...)
|
22
|
+
PATTERN
|
23
|
+
|
24
|
+
def_node_matcher :string_var_string?, <<-PATTERN
|
25
|
+
(dstr (str ...) (begin ...) (str ...) ...)
|
26
|
+
PATTERN
|
27
|
+
|
28
|
+
def on_send(node)
|
29
|
+
return unless where_user_input?(node)
|
30
|
+
return unless node.method_args.any? { |e| string_var_string?(e) }
|
31
|
+
|
32
|
+
add_offense(node, :selector)
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
@@ -0,0 +1,34 @@
|
|
1
|
+
module RuboCop
|
2
|
+
module Cop
|
3
|
+
module GitlabSecurity
|
4
|
+
# Check for use of system("/bin/ls #{params[:file]}")
|
5
|
+
#
|
6
|
+
# Passing user input to system() without sanitization and parameterization can result in command injection
|
7
|
+
#
|
8
|
+
# @example
|
9
|
+
#
|
10
|
+
# # bad
|
11
|
+
# system("/bin/ls #{filename}")
|
12
|
+
#
|
13
|
+
# # good (parameters)
|
14
|
+
# system("/bin/ls", filename)
|
15
|
+
# # even better
|
16
|
+
# exec("/bin/ls", shell_escape(filename))
|
17
|
+
#
|
18
|
+
class SystemCommandInjection < RuboCop::Cop::Cop
|
19
|
+
MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.'
|
20
|
+
|
21
|
+
def_node_matcher :system_var?, <<-PATTERN
|
22
|
+
(dstr (str ...) (begin ...) ...)
|
23
|
+
PATTERN
|
24
|
+
|
25
|
+
def on_send(node)
|
26
|
+
return unless node.command?(:system)
|
27
|
+
return unless node.method_args.any? { |e| system_var?(e) }
|
28
|
+
|
29
|
+
add_offense(node, :selector)
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
|
|
10
10
|
Basic security checking for Ruby files.
|
11
11
|
A plugin for the RuboCop code style enforcing & linting tool.
|
12
12
|
end_description
|
13
|
-
spec.homepage = '
|
13
|
+
spec.homepage = 'http://gitlab.com/briann/rubocop-gitlab-security'
|
14
14
|
spec.authors = ['Brian Neel']
|
15
15
|
spec.email = [
|
16
16
|
'brian@gitlab.com'
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubocop-gitlab-security
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Brian Neel
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-07-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rubocop
|
@@ -54,9 +54,12 @@ files:
|
|
54
54
|
- config/default.yml
|
55
55
|
- lib/rubocop-gitlab-security.rb
|
56
56
|
- lib/rubocop/cop/gitlab-security/cop.rb
|
57
|
+
- lib/rubocop/cop/gitlab-security/deep_munge.rb
|
57
58
|
- lib/rubocop/cop/gitlab-security/public_send.rb
|
58
59
|
- lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb
|
59
60
|
- lib/rubocop/cop/gitlab-security/send_file_params.rb
|
61
|
+
- lib/rubocop/cop/gitlab-security/sql_injection.rb
|
62
|
+
- lib/rubocop/cop/gitlab-security/system_command_injection.rb
|
60
63
|
- lib/rubocop/gitlab-security.rb
|
61
64
|
- lib/rubocop/gitlab-security/concept.rb
|
62
65
|
- lib/rubocop/gitlab-security/config_formatter.rb
|
@@ -72,7 +75,7 @@ files:
|
|
72
75
|
- lib/rubocop/gitlab-security/version.rb
|
73
76
|
- lib/rubocop/gitlab-security/wording.rb
|
74
77
|
- rubocop-gitlab-security.gemspec
|
75
|
-
homepage:
|
78
|
+
homepage: http://gitlab.com/briann/rubocop-gitlab-security
|
76
79
|
licenses:
|
77
80
|
- MIT
|
78
81
|
metadata: {}
|