rubocop-gitlab-security 0.0.6 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b7ac22afdb92ac5afb935e234c7f3b431a3f7a51
-  data.tar.gz: 776a00f300e5caca9a23464e7f164538750a5405
+  metadata.gz: 0de5c70ba259b93d21c8b7516b44699985fe6473
+  data.tar.gz: aebb63f21cb446003f34a24f78bda31666279250
 SHA512:
-  metadata.gz: 0dd34aa9d265e3227bddc9838b9bd440a684e80c15a3dbc3ba97ecc81a0ab67d4d2762946e91b3fbc1a912d09e6e7ea5728c187e3ae3fe4199ab1038d2f26448
-  data.tar.gz: 3b60bd1a693361e7ba723044851013983904ccf8471339841d70b03bb831f5e8d00c68ecbb3be864f041f931d722a81b5753fa0843e4dd0c32158aa6fc750fdf
+  metadata.gz: a355bd388fcf9e8b22757a289de2be26252c72e05a58e22017fe90f7a765f8a3d2309ad87988bd7a1687242539e168ee4cb743337e65fab41f7378d27b874c64
+  data.tar.gz: e50d20427b601c6f92ea8a66ade418e04a5bf256767440c62d3b8c2c5fc760d0c97173eeea198a4eac74624593e365071d90584bfde2ff5260b3ffca890fd7c0

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+## 0.1.0 (2017-08-24)
+
+- `PublicSend`: Check for `__send__` calls. (!5)
+- `PublicSend`: Correct checking for calls with and without arguments. (!5)
+- Add `JsonSerialization` cop to check for `to_json` or `as_json` without explicit
+  whitelisting. (!6)

data/Gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :development, :test do
+  gem 'pry'
+  gem 'rspec', '~> 3.6.0'
+  gem 'rubocop-rspec', '~> 1.15.0'
+end

data/config/default.yml

@@ -6,20 +6,32 @@ AllCops:
     - '.+'
 
 GitlabSecurity/DeepMunge:
-  Description: Disallow removal of Deep Munge setting
+  Description: Checks for disabling the deep munge security control.
   Enabled: true
+  StyleGuide: http://www.rubydoc.info/gems/rubocop-gitlab-security/RuboCop/Cop/GitlabSecurity/DeepMunge
+
+GitlabSecurity/JsonSerialization:
+  Description: Checks for `to_json` / `as_json` without whitelisting via `only`.
+  Enabled: true
+  StyleGuide: http://www.rubydoc.info/gems/rubocop-gitlab-security/RuboCop/Cop/GitlabSecurity/JsonSerialization
+
 GitlabSecurity/PublicSend:
-  Description: Check for use of send()/public_send()
+  Description: Checks for the use of `public_send`, `send`, and `__send__` methods.
   Enabled: true
+  StyleGuide: http://www.rubydoc.info/gems/rubocop-gitlab-security/RuboCop/Cop/GitlabSecurity/PublicSend
+
 GitlabSecurity/RedirectToParamsUpdate:
   Description: Check for use of redirect_to(params.update())
   Enabled: true
+
 GitlabSecurity/SendFileParams:
   Description: Check for passing of params hash to send_file()
   Enabled: true
+
 GitlabSecurity/SqlInjection:
   Description: Check for SQL Injection in where()
   Enabled: true
+
 GitlabSecurity/SystemCommandInjection:
   Description: Check for Command Injection in System()
   Enabled: true

data/lib/rubocop-gitlab-security.rb

@@ -20,6 +20,7 @@ require 'rubocop/cop/gitlab-security/cop'
 RuboCop::GitlabSecurity::Inject.defaults!
 
 require 'rubocop/cop/gitlab-security/deep_munge'
+require 'rubocop/cop/gitlab-security/json_serialization'
 require 'rubocop/cop/gitlab-security/public_send'
 require 'rubocop/cop/gitlab-security/redirect_to_params_update'
 require 'rubocop/cop/gitlab-security/send_file_params'

data/lib/rubocop/cop/gitlab-security/deep_munge.rb

@@ -1,19 +1,20 @@
 module RuboCop
   module Cop
     module GitlabSecurity
-      # Check for disabling the deep munge security control via:
-      # config.action_dispatch.perform_deep_munge = false
+      # Checks for disabling the deep munge security control.
+      #
+      # Disabling this security setting can leave the application open to unsafe
+      # query generation
       #
-      # Disabling this security setting can leave the application open to unsafe query generation
-      # 
       # @example
       #
       #   # bad
       #   config.action_dispatch.perform_deep_munge = false
-      # 
+      #
+      # See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
       class DeepMunge < RuboCop::Cop::Cop
-        MSG = 'Never disable the deep munge security option. See CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155' 
-   
+        MSG = 'Never disable the deep munge security option.'.freeze
+
         def_node_matcher :disable_deep_munge?, <<-PATTERN
           (send (send (send nil :config) :action_dispatch) :perform_deep_munge= (false))
         PATTERN

data/lib/rubocop/cop/gitlab-security/json_serialization.rb

@@ -0,0 +1,126 @@
+module RuboCop
+  module Cop
+    module GitlabSecurity
+      # Checks for `to_json` / `as_json` without whitelisting via `only`.
+      #
+      # Either method called on an instance of a `Serializer` class will be
+      # ignored. Associations included via `include` are subject to the same
+      # rules.
+      #
+      # @example
+      #
+      #   # bad
+      #   render json: @user.to_json
+      #   render json: @user.to_json(except: %i[password])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: [:identities]
+      #   )
+      #
+      #   # acceptable
+      #   render json: UserSerializer.new.to_json
+      #
+      #   # good
+      #   render json: @user.to_json(only: %i[name username])
+      #   render json: @user.to_json(
+      #     only: %i[username],
+      #     include: { identities: { only: %i[provider] } }
+      #   )
+      #
+      # See https://gitlab.com/gitlab-org/gitlab-ce/issues/29661
+      class JsonSerialization < RuboCop::Cop::Cop
+        MSG = "Don't use `%s` without specifying `only`".freeze
+
+        # Check for `to_json` sent to any object that's not a Hash literal or
+        # Serializer instance
+        def_node_matcher :json_serialization?, <<~PATTERN
+          (send !{nil hash #serializer?} ${:to_json :as_json} $...)
+        PATTERN
+
+        # Check if node is a `only: ...` pair
+        def_node_matcher :only_pair?, <<~PATTERN
+          (pair (sym :only) ...)
+        PATTERN
+
+        # Check if node is a `include: {...}` pair
+        def_node_matcher :include_pair?, <<~PATTERN
+          (pair (sym :include) (hash $...))
+        PATTERN
+
+        # Check for a `only: [...]` pair anywhere in the node
+        def_node_search :contains_only?, <<~PATTERN
+          (pair (sym :only) (array ...))
+        PATTERN
+
+        # Check for `SomeConstant.new`
+        def_node_search :constant_init, <<~PATTERN
+          (send (const nil $_) :new ...)
+        PATTERN
+
+        def on_send(node)
+          matched = json_serialization?(node)
+          return unless matched
+
+          @_has_top_level_only = false
+          @method = matched.first
+
+          if matched.last.nil? || matched.last.empty?
+            # Empty `to_json` call
+            add_offense(node, :selector, format_message)
+          else
+            check_arguments(node, matched)
+          end
+        end
+
+        private
+
+        def format_message
+          format(MSG, @method)
+        end
+
+        def serializer?(node)
+          constant_init(node).any? { |name| name.to_s.end_with?('Serializer') }
+        end
+
+        def check_arguments(node, matched)
+          options = matched.last.first
+
+          # If `to_json` was given an argument that isn't a Hash, we don't
+          # know what to do here, so just move along
+          return unless options.hash_type?
+
+          options.each_child_node do |child_node|
+            check_pair(child_node)
+          end
+
+          return unless requires_only?
+
+          # Add a top-level offense for the entire argument list, but only if
+          # we haven't yet added any offenses to the child Hash values (such
+          # as `include`)
+          add_offense(node.children.last, :expression, format_message)
+        end
+
+        def check_pair(pair)
+          if only_pair?(pair)
+            @_has_top_level_only = true
+          elsif include_pair?(pair)
+            includes = pair.value
+
+            includes.each_child_node do |child_node|
+              next if contains_only?(child_node)
+
+              add_offense(child_node, :expression, format_message)
+            end
+          end
+        end
+
+        def requires_only?
+          return false if @_has_top_level_only
+
+          offenses.count.zero?
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/gitlab-security/public_send.rb

@@ -1,10 +1,10 @@
 module RuboCop
   module Cop
     module GitlabSecurity
-      # Check for use of the dangerous public_send() and send() methods.
+      # Checks for the use of `public_send`, `send`, and `__send__` methods.
       #
-      # If passed untrusted input these methods can be used to execute arbitrary methods on behalf
-      # of an attacker.
+      # If passed untrusted input these methods can be used to execute arbitrary
+      # methods on behalf of an attacker.
       #
       # @example
       #
@@ -20,16 +20,19 @@ module RuboCop
       #   when 'choice3'
       #     items.choice3
       #   end
-      #
       class PublicSend < RuboCop::Cop::Cop
-        MSG = "Avoid using `%s`. If this method is not passed user input it can be white-listed
-        by adding `#rubocop:disable GitlabSecurity/PublicSend`"
+        MSG = 'Avoid using `%s`.'.freeze
+
+        def_node_matcher :send?, <<-PATTERN
+          (send _ ${:send :public_send :__send__} ...)
+        PATTERN
 
         def on_send(node)
-          return unless node.command?(:send) || node.command?(:public_send)
+          send?(node) do |match|
+            next unless node.arguments?
 
-          append_error = node.command?(:send) ? "send()" : "public_send()"
-          add_offense(node, :selector, format(MSG, append_error))
+            add_offense(node, :selector, format(MSG, match))
+          end
         end
       end
     end

data/lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb

@@ -4,17 +4,17 @@ module RuboCop
       # Check for use of redirect_to(params.update())
       #
       # Passing user params to the redirect_to method provides an open redirect
-      # 
+      #
       # @example
       #
       #   # bad
       #   redirect_to(params.update(action:'main'))
-      # 
+      #
       #   # good
       #   redirect_to(whitelist(params))
       #
       class RedirectToParamsUpdate < RuboCop::Cop::Cop
-        MSG = 'Avoid using redirect_to(params.update()). Only pass whitelisted arguments into redirect_to() (e.g. not including `host`)'
+        MSG = 'Avoid using redirect_to(params.update()). Only pass whitelisted arguments into redirect_to() (e.g. not including `host`)'.freeze
 
         def_node_matcher :redirect_to_params_update_node, <<-PATTERN
            (send nil :redirect_to (send (send nil :params) ${:update :merge} ...))

data/lib/rubocop/cop/gitlab-security/send_file_params.rb

@@ -20,7 +20,7 @@ module RuboCop
       class SendFileParams < RuboCop::Cop::Cop
         MSG = 'Do not pass user provided params directly to send_file(), verify
         the path with file.expand_path() first. If the path has already been verified
-        this warning can be disabled using `#rubocop:disable GitlabSecurity/SendFileParams`'
+        this warning can be disabled using `#rubocop:disable GitlabSecurity/SendFileParams`'.freeze
 
         def_node_search :params_node?, <<-PATTERN
            (send (send nil :params) ... )

data/lib/rubocop/cop/gitlab-security/sql_injection.rb

@@ -16,7 +16,7 @@ module RuboCop
       #
       class SqlInjection < RuboCop::Cop::Cop
         MSG = 'Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.
-        If this warning is in error you can white-list the line with `#rubocop:disable GitlabSecurity/SqlInjection`'
+        If this warning is in error you can white-list the line with `#rubocop:disable GitlabSecurity/SqlInjection`'.freeze
 
         def_node_matcher :where_user_input?, <<-PATTERN
           (send _ :where ...)

data/lib/rubocop/cop/gitlab-security/system_command_injection.rb

@@ -17,7 +17,7 @@ module RuboCop
       #
       class SystemCommandInjection < RuboCop::Cop::Cop
         MSG = 'Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.
-        If this warning is in error you can white-list the line with `#rubocop:disable GitLabSecurity/SystemCommandInjection`'
+        If this warning is in error you can white-list the line with `#rubocop:disable GitLabSecurity/SystemCommandInjection`'.freeze
 
         def_node_matcher :system_var?, <<-PATTERN
           (dstr (str ...) (begin ...) ...)

data/lib/rubocop/gitlab-security/version.rb

@@ -2,9 +2,9 @@
 
 module RuboCop
   module GitlabSecurity
-    # Version information for the GitlabSecurity Rubocop  plugin.
+    # Version information for the GitlabSecurity Rubocop plugin.
     module Version
-      STRING = '0.0.6'.freeze
+      STRING = '0.1.0'
     end
   end
 end

data/rubocop-gitlab-security.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
     Basic security checking for Ruby files.
     A plugin for the RuboCop code style enforcing & linting tool.
   end_description
-  spec.homepage = 'http://gitlab.com/briann/rubocop-gitlab-security'
+  spec.homepage = 'https://gitlab.com/gitlab-org/rubocop-gitlab-security/'
   spec.authors = ['Brian Neel']
   spec.email = [
     'brian@gitlab.com'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-gitlab-security
 version: !ruby/object:Gem::Version
-  version: 0.0.6
+  version: 0.1.0
 platform: ruby
 authors:
 - Brian Neel
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-07-28 00:00:00.000000000 Z
+date: 2017-08-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -49,12 +49,15 @@ extra_rdoc_files:
 - MIT-LICENSE.md
 - README.md
 files:
+- CHANGELOG.md
+- Gemfile
 - MIT-LICENSE.md
 - README.md
 - config/default.yml
 - lib/rubocop-gitlab-security.rb
 - lib/rubocop/cop/gitlab-security/cop.rb
 - lib/rubocop/cop/gitlab-security/deep_munge.rb
+- lib/rubocop/cop/gitlab-security/json_serialization.rb
 - lib/rubocop/cop/gitlab-security/public_send.rb
 - lib/rubocop/cop/gitlab-security/redirect_to_params_update.rb
 - lib/rubocop/cop/gitlab-security/send_file_params.rb
@@ -75,7 +78,7 @@ files:
 - lib/rubocop/gitlab-security/version.rb
 - lib/rubocop/gitlab-security/wording.rb
 - rubocop-gitlab-security.gemspec
-homepage: http://gitlab.com/briann/rubocop-gitlab-security
+homepage: https://gitlab.com/gitlab-org/rubocop-gitlab-security/
 licenses:
 - MIT
 metadata: {}
@@ -95,7 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: Basic security checks for projects