rubocop-gitlab-security 0.0.5 → 0.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/rubocop/cop/gitlab-security/public_send.rb +7 -4
- data/lib/rubocop/cop/gitlab-security/send_file_params.rb +6 -4
- data/lib/rubocop/cop/gitlab-security/sql_injection.rb +5 -4
- data/lib/rubocop/cop/gitlab-security/system_command_injection.rb +5 -4
- data/lib/rubocop/gitlab-security/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: b7ac22afdb92ac5afb935e234c7f3b431a3f7a51
|
4
|
+
data.tar.gz: 776a00f300e5caca9a23464e7f164538750a5405
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0dd34aa9d265e3227bddc9838b9bd440a684e80c15a3dbc3ba97ecc81a0ab67d4d2762946e91b3fbc1a912d09e6e7ea5728c187e3ae3fe4199ab1038d2f26448
|
7
|
+
data.tar.gz: 3b60bd1a693361e7ba723044851013983904ccf8471339841d70b03bb831f5e8d00c68ecbb3be864f041f931d722a81b5753fa0843e4dd0c32158aa6fc750fdf
|
@@ -5,12 +5,12 @@ module RuboCop
|
|
5
5
|
#
|
6
6
|
# If passed untrusted input these methods can be used to execute arbitrary methods on behalf
|
7
7
|
# of an attacker.
|
8
|
-
#
|
8
|
+
#
|
9
9
|
# @example
|
10
10
|
#
|
11
11
|
# # bad
|
12
12
|
# myobj.public_send("#{params[:foo]}")
|
13
|
-
#
|
13
|
+
#
|
14
14
|
# # good
|
15
15
|
# case params[:foo].to_s
|
16
16
|
# when 'choice1'
|
@@ -22,11 +22,14 @@ module RuboCop
|
|
22
22
|
# end
|
23
23
|
#
|
24
24
|
class PublicSend < RuboCop::Cop::Cop
|
25
|
-
MSG =
|
25
|
+
MSG = "Avoid using `%s`. If this method is not passed user input it can be white-listed
|
26
|
+
by adding `#rubocop:disable GitlabSecurity/PublicSend`"
|
26
27
|
|
27
28
|
def on_send(node)
|
28
29
|
return unless node.command?(:send) || node.command?(:public_send)
|
29
|
-
|
30
|
+
|
31
|
+
append_error = node.command?(:send) ? "send()" : "public_send()"
|
32
|
+
add_offense(node, :selector, format(MSG, append_error))
|
30
33
|
end
|
31
34
|
end
|
32
35
|
end
|
@@ -4,21 +4,23 @@ module RuboCop
|
|
4
4
|
# Check for use of send_file(..., params[], ...)
|
5
5
|
#
|
6
6
|
# Passing user params to the send_file() method allows directory traversal
|
7
|
-
#
|
7
|
+
#
|
8
8
|
# @example
|
9
9
|
#
|
10
10
|
# # bad
|
11
11
|
# send_file("/tmp/myproj/" + params[:filename])
|
12
|
-
#
|
12
|
+
#
|
13
13
|
# # good (verify directory)
|
14
|
-
|
14
|
+
|
15
15
|
# basename = File.expand_path("/tmp/myproj")
|
16
16
|
# filename = File.expand_path(File.join(basename, @file.public_filename))
|
17
17
|
# raise if basename != filename
|
18
18
|
# send_file filename, disposition: 'inline'
|
19
19
|
#
|
20
20
|
class SendFileParams < RuboCop::Cop::Cop
|
21
|
-
MSG = 'Do not pass user provided params directly to send_file(), verify
|
21
|
+
MSG = 'Do not pass user provided params directly to send_file(), verify
|
22
|
+
the path with file.expand_path() first. If the path has already been verified
|
23
|
+
this warning can be disabled using `#rubocop:disable GitlabSecurity/SendFileParams`'
|
22
24
|
|
23
25
|
def_node_search :params_node?, <<-PATTERN
|
24
26
|
(send (send nil :params) ... )
|
@@ -4,19 +4,20 @@ module RuboCop
|
|
4
4
|
# Check for use of where("name = '#{params[:name]}'")
|
5
5
|
#
|
6
6
|
# Passing user input to where() without parameterization can result in SQL Injection
|
7
|
-
#
|
7
|
+
#
|
8
8
|
# @example
|
9
9
|
#
|
10
10
|
# # bad
|
11
11
|
# u = User.where("name = '#{params[:name]}'")
|
12
|
-
#
|
12
|
+
#
|
13
13
|
# # good (parameters)
|
14
14
|
# u = User.where("name = ? AND id = ?", params[:name], params[:id])
|
15
15
|
# u = User.where(name: params[:name], id: params[:id])
|
16
16
|
#
|
17
17
|
class SqlInjection < RuboCop::Cop::Cop
|
18
|
-
MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries
|
19
|
-
|
18
|
+
MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.
|
19
|
+
If this warning is in error you can white-list the line with `#rubocop:disable GitlabSecurity/SqlInjection`'
|
20
|
+
|
20
21
|
def_node_matcher :where_user_input?, <<-PATTERN
|
21
22
|
(send _ :where ...)
|
22
23
|
PATTERN
|
@@ -4,20 +4,21 @@ module RuboCop
|
|
4
4
|
# Check for use of system("/bin/ls #{params[:file]}")
|
5
5
|
#
|
6
6
|
# Passing user input to system() without sanitization and parameterization can result in command injection
|
7
|
-
#
|
7
|
+
#
|
8
8
|
# @example
|
9
9
|
#
|
10
10
|
# # bad
|
11
11
|
# system("/bin/ls #{filename}")
|
12
|
-
#
|
12
|
+
#
|
13
13
|
# # good (parameters)
|
14
14
|
# system("/bin/ls", filename)
|
15
15
|
# # even better
|
16
16
|
# exec("/bin/ls", shell_escape(filename))
|
17
17
|
#
|
18
18
|
class SystemCommandInjection < RuboCop::Cop::Cop
|
19
|
-
MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.
|
20
|
-
|
19
|
+
MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.
|
20
|
+
If this warning is in error you can white-list the line with `#rubocop:disable GitLabSecurity/SystemCommandInjection`'
|
21
|
+
|
21
22
|
def_node_matcher :system_var?, <<-PATTERN
|
22
23
|
(dstr (str ...) (begin ...) ...)
|
23
24
|
PATTERN
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubocop-gitlab-security
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Brian Neel
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-07-
|
11
|
+
date: 2017-07-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rubocop
|