rubocop-gitlab-security 0.0.5 → 0.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 2e1fe57d15469d24c90209220a37540eb886cdd7
4
- data.tar.gz: 5731689f88cac6519849b5c4d077705f6e814786
3
+ metadata.gz: b7ac22afdb92ac5afb935e234c7f3b431a3f7a51
4
+ data.tar.gz: 776a00f300e5caca9a23464e7f164538750a5405
5
5
  SHA512:
6
- metadata.gz: 0495dbd2a6a58e6287f254bd94902d41ce7ec9464ef3544b9fe10cc681508278c0bc37a6d042cebb88cfcae551ff1c074f8d76c814ce47b8325ab5ace6387fdb
7
- data.tar.gz: 7d9034db66ba383b9f4858954922ab80c897f4092985da4a74784775aa35ef5c0def2313a0f0f6381af3c5d1e87b6d5bcf8a67538a31617c182ad39aecab4ca3
6
+ metadata.gz: 0dd34aa9d265e3227bddc9838b9bd440a684e80c15a3dbc3ba97ecc81a0ab67d4d2762946e91b3fbc1a912d09e6e7ea5728c187e3ae3fe4199ab1038d2f26448
7
+ data.tar.gz: 3b60bd1a693361e7ba723044851013983904ccf8471339841d70b03bb831f5e8d00c68ecbb3be864f041f931d722a81b5753fa0843e4dd0c32158aa6fc750fdf
@@ -5,12 +5,12 @@ module RuboCop
5
5
  #
6
6
  # If passed untrusted input these methods can be used to execute arbitrary methods on behalf
7
7
  # of an attacker.
8
- #
8
+ #
9
9
  # @example
10
10
  #
11
11
  # # bad
12
12
  # myobj.public_send("#{params[:foo]}")
13
- #
13
+ #
14
14
  # # good
15
15
  # case params[:foo].to_s
16
16
  # when 'choice1'
@@ -22,11 +22,14 @@ module RuboCop
22
22
  # end
23
23
  #
24
24
  class PublicSend < RuboCop::Cop::Cop
25
- MSG = 'Avoid using `send`'
25
+ MSG = "Avoid using `%s`. If this method is not passed user input it can be white-listed
26
+ by adding `#rubocop:disable GitlabSecurity/PublicSend`"
26
27
 
27
28
  def on_send(node)
28
29
  return unless node.command?(:send) || node.command?(:public_send)
29
- add_offense(node, :selector)
30
+
31
+ append_error = node.command?(:send) ? "send()" : "public_send()"
32
+ add_offense(node, :selector, format(MSG, append_error))
30
33
  end
31
34
  end
32
35
  end
@@ -4,21 +4,23 @@ module RuboCop
4
4
  # Check for use of send_file(..., params[], ...)
5
5
  #
6
6
  # Passing user params to the send_file() method allows directory traversal
7
- #
7
+ #
8
8
  # @example
9
9
  #
10
10
  # # bad
11
11
  # send_file("/tmp/myproj/" + params[:filename])
12
- #
12
+ #
13
13
  # # good (verify directory)
14
-
14
+
15
15
  # basename = File.expand_path("/tmp/myproj")
16
16
  # filename = File.expand_path(File.join(basename, @file.public_filename))
17
17
  # raise if basename != filename
18
18
  # send_file filename, disposition: 'inline'
19
19
  #
20
20
  class SendFileParams < RuboCop::Cop::Cop
21
- MSG = 'Do not pass user provided params directly to send_file(), verify the path with file.expand_path() first.'
21
+ MSG = 'Do not pass user provided params directly to send_file(), verify
22
+ the path with file.expand_path() first. If the path has already been verified
23
+ this warning can be disabled using `#rubocop:disable GitlabSecurity/SendFileParams`'
22
24
 
23
25
  def_node_search :params_node?, <<-PATTERN
24
26
  (send (send nil :params) ... )
@@ -4,19 +4,20 @@ module RuboCop
4
4
  # Check for use of where("name = '#{params[:name]}'")
5
5
  #
6
6
  # Passing user input to where() without parameterization can result in SQL Injection
7
- #
7
+ #
8
8
  # @example
9
9
  #
10
10
  # # bad
11
11
  # u = User.where("name = '#{params[:name]}'")
12
- #
12
+ #
13
13
  # # good (parameters)
14
14
  # u = User.where("name = ? AND id = ?", params[:name], params[:id])
15
15
  # u = User.where(name: params[:name], id: params[:id])
16
16
  #
17
17
  class SqlInjection < RuboCop::Cop::Cop
18
- MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries'
19
-
18
+ MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.
19
+ If this warning is in error you can white-list the line with `#rubocop:disable GitlabSecurity/SqlInjection`'
20
+
20
21
  def_node_matcher :where_user_input?, <<-PATTERN
21
22
  (send _ :where ...)
22
23
  PATTERN
@@ -4,20 +4,21 @@ module RuboCop
4
4
  # Check for use of system("/bin/ls #{params[:file]}")
5
5
  #
6
6
  # Passing user input to system() without sanitization and parameterization can result in command injection
7
- #
7
+ #
8
8
  # @example
9
9
  #
10
10
  # # bad
11
11
  # system("/bin/ls #{filename}")
12
- #
12
+ #
13
13
  # # good (parameters)
14
14
  # system("/bin/ls", filename)
15
15
  # # even better
16
16
  # exec("/bin/ls", shell_escape(filename))
17
17
  #
18
18
  class SystemCommandInjection < RuboCop::Cop::Cop
19
- MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.'
20
-
19
+ MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.
20
+ If this warning is in error you can white-list the line with `#rubocop:disable GitLabSecurity/SystemCommandInjection`'
21
+
21
22
  def_node_matcher :system_var?, <<-PATTERN
22
23
  (dstr (str ...) (begin ...) ...)
23
24
  PATTERN
@@ -4,7 +4,7 @@ module RuboCop
4
4
  module GitlabSecurity
5
5
  # Version information for the GitlabSecurity Rubocop plugin.
6
6
  module Version
7
- STRING = '0.0.5'.freeze
7
+ STRING = '0.0.6'.freeze
8
8
  end
9
9
  end
10
10
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubocop-gitlab-security
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.5
4
+ version: 0.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Brian Neel
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-07-10 00:00:00.000000000 Z
11
+ date: 2017-07-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rubocop