rubocop-gitlab-security 0.0.4 → 0.0.5

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/config/default.yml +9 -0
  3. data/lib/rubocop-gitlab-security.rb +3 -0
  4. data/lib/rubocop/cop/gitlab-security/deep_munge.rb +29 -0
  5. data/lib/rubocop/cop/gitlab-security/sql_injection.rb +37 -0
  6. data/lib/rubocop/cop/gitlab-security/system_command_injection.rb +34 -0
  7. data/lib/rubocop/gitlab-security/version.rb +1 -1
  8. data/rubocop-gitlab-security.gemspec +1 -1
  9. metadata +6 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 07583650e709307d9bef8cf66f06ae194d8c9016
4
- data.tar.gz: 80e18df385a8682121b0bf064e827a48336bd6fe
3
+ metadata.gz: 2e1fe57d15469d24c90209220a37540eb886cdd7
4
+ data.tar.gz: 5731689f88cac6519849b5c4d077705f6e814786
5
5
  SHA512:
6
- metadata.gz: 447ce7bd7c92f5753a682a67e15b94b869237e0da9180a2edda0a8a4da20dd6b90f1f488c9c56713ca49d99c87c5f0b7833e4043cbb2532b0a9f891683227d5b
7
- data.tar.gz: 2a3f5f2f545b1ef07b044b7b1dc7e359251f9abeac925188552ab2d018fe855e809bb36ceda6c134193a1ad658058e0a5fb024e43e0520b38dd2e6ef5edd34da
6
+ metadata.gz: 0495dbd2a6a58e6287f254bd94902d41ce7ec9464ef3544b9fe10cc681508278c0bc37a6d042cebb88cfcae551ff1c074f8d76c814ce47b8325ab5ace6387fdb
7
+ data.tar.gz: 7d9034db66ba383b9f4858954922ab80c897f4092985da4a74784775aa35ef5c0def2313a0f0f6381af3c5d1e87b6d5bcf8a67538a31617c182ad39aecab4ca3
data/config/default.yml CHANGED
@@ -5,6 +5,9 @@ AllCops:
5
5
  Patterns:
6
6
  - '.+'
7
7
 
8
+ GitlabSecurity/DeepMunge:
9
+ Description: Disallow removal of Deep Munge setting
10
+ Enabled: true
8
11
  GitlabSecurity/PublicSend:
9
12
  Description: Check for use of send()/public_send()
10
13
  Enabled: true
@@ -14,3 +17,9 @@ GitlabSecurity/RedirectToParamsUpdate:
14
17
  GitlabSecurity/SendFileParams:
15
18
  Description: Check for passing of params hash to send_file()
16
19
  Enabled: true
20
+ GitlabSecurity/SqlInjection:
21
+ Description: Check for SQL Injection in where()
22
+ Enabled: true
23
+ GitlabSecurity/SystemCommandInjection:
24
+ Description: Check for Command Injection in System()
25
+ Enabled: true
data/lib/rubocop-gitlab-security.rb CHANGED
@@ -19,6 +19,9 @@ require 'rubocop/cop/gitlab-security/cop'
19
19
 
20
20
  RuboCop::GitlabSecurity::Inject.defaults!
21
21
 
22
+ require 'rubocop/cop/gitlab-security/deep_munge'
22
23
  require 'rubocop/cop/gitlab-security/public_send'
23
24
  require 'rubocop/cop/gitlab-security/redirect_to_params_update'
24
25
  require 'rubocop/cop/gitlab-security/send_file_params'
26
+ require 'rubocop/cop/gitlab-security/sql_injection'
27
+ require 'rubocop/cop/gitlab-security/system_command_injection'
data/lib/rubocop/cop/gitlab-security/deep_munge.rb ADDED
@@ -0,0 +1,29 @@
1
+ module RuboCop
2
+ module Cop
3
+ module GitlabSecurity
4
+ # Check for disabling the deep munge security control via:
5
+ # config.action_dispatch.perform_deep_munge = false
6
+ #
7
+ # Disabling this security setting can leave the application open to unsafe query generation
8
+ #
9
+ # @example
10
+ #
11
+ # # bad
12
+ # config.action_dispatch.perform_deep_munge = false
13
+ #
14
+ class DeepMunge < RuboCop::Cop::Cop
15
+ MSG = 'Never disable the deep munge security option. See CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155'
16
+
17
+ def_node_matcher :disable_deep_munge?, <<-PATTERN
18
+ (send (send (send nil :config) :action_dispatch) :perform_deep_munge= (false))
19
+ PATTERN
20
+
21
+ def on_send(node)
22
+ return unless disable_deep_munge?(node)
23
+
24
+ add_offense(node, :selector)
25
+ end
26
+ end
27
+ end
28
+ end
29
+ end
data/lib/rubocop/cop/gitlab-security/sql_injection.rb ADDED
@@ -0,0 +1,37 @@
1
+ module RuboCop
2
+ module Cop
3
+ module GitlabSecurity
4
+ # Check for use of where("name = '#{params[:name]}'")
5
+ #
6
+ # Passing user input to where() without parameterization can result in SQL Injection
7
+ #
8
+ # @example
9
+ #
10
+ # # bad
11
+ # u = User.where("name = '#{params[:name]}'")
12
+ #
13
+ # # good (parameters)
14
+ # u = User.where("name = ? AND id = ?", params[:name], params[:id])
15
+ # u = User.where(name: params[:name], id: params[:id])
16
+ #
17
+ class SqlInjection < RuboCop::Cop::Cop
18
+ MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries'
19
+
20
+ def_node_matcher :where_user_input?, <<-PATTERN
21
+ (send _ :where ...)
22
+ PATTERN
23
+
24
+ def_node_matcher :string_var_string?, <<-PATTERN
25
+ (dstr (str ...) (begin ...) (str ...) ...)
26
+ PATTERN
27
+
28
+ def on_send(node)
29
+ return unless where_user_input?(node)
30
+ return unless node.method_args.any? { |e| string_var_string?(e) }
31
+
32
+ add_offense(node, :selector)
33
+ end
34
+ end
35
+ end
36
+ end
37
+ end
data/lib/rubocop/cop/gitlab-security/system_command_injection.rb ADDED
@@ -0,0 +1,34 @@
1
+ module RuboCop
2
+ module Cop
3
+ module GitlabSecurity
4
+ # Check for use of system("/bin/ls #{params[:file]}")
5
+ #
6
+ # Passing user input to system() without sanitization and parameterization can result in command injection
7
+ #
8
+ # @example
9
+ #
10
+ # # bad
11
+ # system("/bin/ls #{filename}")
12
+ #
13
+ # # good (parameters)
14
+ # system("/bin/ls", filename)
15
+ # # even better
16
+ # exec("/bin/ls", shell_escape(filename))
17
+ #
18
+ class SystemCommandInjection < RuboCop::Cop::Cop
19
+ MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.'
20
+
21
+ def_node_matcher :system_var?, <<-PATTERN
22
+ (dstr (str ...) (begin ...) ...)
23
+ PATTERN
24
+
25
+ def on_send(node)
26
+ return unless node.command?(:system)
27
+ return unless node.method_args.any? { |e| system_var?(e) }
28
+
29
+ add_offense(node, :selector)
30
+ end
31
+ end
32
+ end
33
+ end
34
+ end
data/lib/rubocop/gitlab-security/version.rb CHANGED
@@ -4,7 +4,7 @@ module RuboCop
4
4
  module GitlabSecurity
5
5
  # Version information for the GitlabSecurity Rubocop plugin.
6
6
  module Version
7
- STRING = '0.0.4'.freeze
7
+ STRING = '0.0.5'.freeze
8
8
  end
9
9
  end
10
10
  end
data/rubocop-gitlab-security.gemspec CHANGED
@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
10
10
  Basic security checking for Ruby files.
11
11
  A plugin for the RuboCop code style enforcing & linting tool.
12
12
  end_description
13
- spec.homepage = 'https://gitlab.com/gitlab-org/rubocop-gitlab-security'
13
+ spec.homepage = 'http://gitlab.com/briann/rubocop-gitlab-security'
14
14
  spec.authors = ['Brian Neel']
15
15
  spec.email = [
16
16
  'brian@gitlab.com'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubocop-gitlab-security
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.4
4
+ version: 0.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - Brian Neel
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-29 00:00:00.000000000 Z
11
+ date: 2017-07-10 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rubocop
@@ -54,9 +54,12 @@ files:
54
54
  - config/default.yml
55
55
  - lib/rubocop-gitlab-security.rb
56
56
  - lib/rubocop/cop/gitlab-security/cop.rb
57
+ - lib/rubocop/cop/gitlab-security/deep_munge.rb
57
58
  - lib/rubocop/cop/gitlab-security/public_send.rb
58
59
  - lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb
59
60
  - lib/rubocop/cop/gitlab-security/send_file_params.rb
61
+ - lib/rubocop/cop/gitlab-security/sql_injection.rb
62
+ - lib/rubocop/cop/gitlab-security/system_command_injection.rb
60
63
  - lib/rubocop/gitlab-security.rb
61
64
  - lib/rubocop/gitlab-security/concept.rb
62
65
  - lib/rubocop/gitlab-security/config_formatter.rb
@@ -72,7 +75,7 @@ files:
72
75
  - lib/rubocop/gitlab-security/version.rb
73
76
  - lib/rubocop/gitlab-security/wording.rb
74
77
  - rubocop-gitlab-security.gemspec
75
- homepage: https://gitlab.com/gitlab-org/rubocop-gitlab-security
78
+ homepage: http://gitlab.com/briann/rubocop-gitlab-security
76
79
  licenses:
77
80
  - MIT
78
81
  metadata: {}