rubocop-rails 2.4.1

data/lib/rubocop/cop/rails/link_to_blank.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for calls to `link_to` that contain a
+      # `target: '_blank'` but no `rel: 'noopener'`. This can be a security
+      # risk as the loaded page will have control over the previous page
+      # and could change its location for phishing purposes.
+      #
+      # The option `rel: 'noreferrer'` also blocks this behavior
+      # and removes the http-referrer header.
+      #
+      # @example
+      #   # bad
+      #   link_to 'Click here', url, target: '_blank'
+      #
+      #   # good
+      #   link_to 'Click here', url, target: '_blank', rel: 'noopener'
+      #
+      #   # good
+      #   link_to 'Click here', url, target: '_blank', rel: 'noreferrer'
+      class LinkToBlank < Cop
+        MSG = 'Specify a `:rel` option containing noopener.'
+
+        def_node_matcher :blank_target?, <<~PATTERN
+          (pair {(sym :target) (str "target")} {(str "_blank") (sym :_blank)})
+        PATTERN
+
+        def_node_matcher :includes_noopener?, <<~PATTERN
+          (pair {(sym :rel) (str "rel")} ({str sym} #contains_noopener?))
+        PATTERN
+
+        def_node_matcher :rel_node?, <<~PATTERN
+          (pair {(sym :rel) (str "rel")} (str _))
+        PATTERN
+
+        def on_send(node)
+          return unless node.method?(:link_to)
+
+          option_nodes = node.each_child_node(:hash)
+
+          option_nodes.map(&:children).each do |options|
+            blank = options.find { |o| blank_target?(o) }
+            if blank && options.none? { |o| includes_noopener?(o) }
+              add_offense(blank)
+            end
+          end
+        end
+
+        def autocorrect(node)
+          lambda do |corrector|
+            send_node = node.parent.parent
+
+            option_nodes = send_node.each_child_node(:hash)
+            rel_node = nil
+            option_nodes.map(&:children).each do |options|
+              rel_node ||= options.find { |o| rel_node?(o) }
+            end
+
+            if rel_node
+              append_to_rel(rel_node, corrector)
+            else
+              add_rel(send_node, node, corrector)
+            end
+          end
+        end
+
+        private
+
+        def append_to_rel(rel_node, corrector)
+          existing_rel = rel_node.children.last.value
+          str_range = rel_node.children.last.loc.expression.adjust(
+            begin_pos: 1,
+            end_pos: -1
+          )
+          corrector.replace(str_range, "#{existing_rel} noopener")
+        end
+
+        def add_rel(send_node, offence_node, corrector)
+          opening_quote = offence_node.children.last.source[0]
+          closing_quote = opening_quote == ':' ? '' : opening_quote
+          new_rel_exp = ", rel: #{opening_quote}noopener#{closing_quote}"
+          range = send_node.arguments.last.source_range
+
+          corrector.insert_after(range, new_rel_exp)
+        end
+
+        def contains_noopener?(value)
+          return false unless value
+
+          rel_array = value.to_s.split(' ')
+          rel_array.include?('noopener') || rel_array.include?('noreferrer')
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/not_null_column.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for add_column call with NOT NULL constraint
+      # in migration file.
+      #
+      # @example
+      #   # bad
+      #   add_column :users, :name, :string, null: false
+      #   add_reference :products, :category, null: false
+      #
+      #   # good
+      #   add_column :users, :name, :string, null: true
+      #   add_column :users, :name, :string, null: false, default: ''
+      #   add_reference :products, :category
+      #   add_reference :products, :category, null: false, default: 1
+      class NotNullColumn < Cop
+        MSG = 'Do not add a NOT NULL column without a default value.'
+
+        def_node_matcher :add_not_null_column?, <<~PATTERN
+          (send nil? :add_column _ _ _ (hash $...))
+        PATTERN
+
+        def_node_matcher :add_not_null_reference?, <<~PATTERN
+          (send nil? :add_reference _ _ (hash $...))
+        PATTERN
+
+        def_node_matcher :null_false?, <<~PATTERN
+          (pair (sym :null) (false))
+        PATTERN
+
+        def_node_matcher :default_option?, <<~PATTERN
+          (pair (sym :default) !nil)
+        PATTERN
+
+        def on_send(node)
+          check_add_column(node)
+          check_add_reference(node)
+        end
+
+        private
+
+        def check_add_column(node)
+          pairs = add_not_null_column?(node)
+          check_pairs(pairs)
+        end
+
+        def check_add_reference(node)
+          pairs = add_not_null_reference?(node)
+          check_pairs(pairs)
+        end
+
+        def check_pairs(pairs)
+          return unless pairs
+          return if pairs.any? { |pair| default_option?(pair) }
+
+          null_false = pairs.find { |pair| null_false?(pair) }
+          return unless null_false
+
+          add_offense(null_false)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/output.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for the use of output calls like puts and print
+      #
+      # @example
+      #   # bad
+      #   puts 'A debug message'
+      #   pp 'A debug message'
+      #   print 'A debug message'
+      #
+      #   # good
+      #   Rails.logger.debug 'A debug message'
+      class Output < Cop
+        MSG = 'Do not write to stdout. ' \
+              "Use Rails's logger if you want to log."
+
+        def_node_matcher :output?, <<~PATTERN
+          (send nil? {:ap :p :pp :pretty_print :print :puts} ...)
+        PATTERN
+
+        def_node_matcher :io_output?, <<~PATTERN
+          (send
+            {
+              (gvar #match_gvar?)
+              {(const nil? :STDOUT) (const nil? :STDERR)}
+            }
+            {:binwrite :syswrite :write :write_nonblock}
+            ...)
+        PATTERN
+
+        def on_send(node)
+          return unless (output?(node) || io_output?(node)) &&
+                        node.arguments?
+
+          add_offense(node, location: :selector)
+        end
+
+        private
+
+        def match_gvar?(sym)
+          %i[$stdout $stderr].include?(sym)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/output_safety.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for the use of output safety calls like `html_safe`,
+      # `raw`, and `safe_concat`. These methods do not escape content. They
+      # simply return a SafeBuffer containing the content as is. Instead,
+      # use `safe_join` to join content and escape it and concat to
+      # concatenate content and escape it, ensuring its safety.
+      #
+      # @example
+      #   user_content = "<b>hi</b>"
+      #
+      #   # bad
+      #   "<p>#{user_content}</p>".html_safe
+      #   # => ActiveSupport::SafeBuffer "<p><b>hi</b></p>"
+      #
+      #   # good
+      #   content_tag(:p, user_content)
+      #   # => ActiveSupport::SafeBuffer "<p>&lt;b&gt;hi&lt;/b&gt;</p>"
+      #
+      #   # bad
+      #   out = ""
+      #   out << "<li>#{user_content}</li>"
+      #   out << "<li>#{user_content}</li>"
+      #   out.html_safe
+      #   # => ActiveSupport::SafeBuffer "<li><b>hi</b></li><li><b>hi</b></li>"
+      #
+      #   # good
+      #   out = []
+      #   out << content_tag(:li, user_content)
+      #   out << content_tag(:li, user_content)
+      #   safe_join(out)
+      #   # => ActiveSupport::SafeBuffer
+      #   #    "<li>&lt;b&gt;hi&lt;/b&gt;</li><li>&lt;b&gt;hi&lt;/b&gt;</li>"
+      #
+      #   # bad
+      #   out = "<h1>trusted content</h1>".html_safe
+      #   out.safe_concat(user_content)
+      #   # => ActiveSupport::SafeBuffer "<h1>trusted_content</h1><b>hi</b>"
+      #
+      #   # good
+      #   out = "<h1>trusted content</h1>".html_safe
+      #   out.concat(user_content)
+      #   # => ActiveSupport::SafeBuffer
+      #   #    "<h1>trusted_content</h1>&lt;b&gt;hi&lt;/b&gt;"
+      #
+      #   # safe, though maybe not good style
+      #   out = "trusted content"
+      #   result = out.concat(user_content)
+      #   # => String "trusted content<b>hi</b>"
+      #   # because when rendered in ERB the String will be escaped:
+      #   # <%= result %>
+      #   # => trusted content&lt;b&gt;hi&lt;/b&gt;
+      #
+      #   # bad
+      #   (user_content + " " + content_tag(:span, user_content)).html_safe
+      #   # => ActiveSupport::SafeBuffer "<b>hi</b> <span><b>hi</b></span>"
+      #
+      #   # good
+      #   safe_join([user_content, " ", content_tag(:span, user_content)])
+      #   # => ActiveSupport::SafeBuffer
+      #   #    "&lt;b&gt;hi&lt;/b&gt; <span>&lt;b&gt;hi&lt;/b&gt;</span>"
+      class OutputSafety < Cop
+        MSG = 'Tagging a string as html safe may be a security risk.'
+
+        def on_send(node)
+          return if non_interpolated_string?(node)
+
+          return unless looks_like_rails_html_safe?(node) ||
+                        looks_like_rails_raw?(node) ||
+                        looks_like_rails_safe_concat?(node)
+
+          add_offense(node, location: :selector)
+        end
+        alias on_csend on_send
+
+        private
+
+        def non_interpolated_string?(node)
+          node.receiver&.str_type? && !node.receiver.dstr_type?
+        end
+
+        def looks_like_rails_html_safe?(node)
+          node.receiver && node.method?(:html_safe) && !node.arguments?
+        end
+
+        def looks_like_rails_raw?(node)
+          node.command?(:raw) && node.arguments.one?
+        end
+
+        def looks_like_rails_safe_concat?(node)
+          node.method?(:safe_concat) && node.arguments.one?
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/pluralization_grammar.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for correct grammar when using ActiveSupport's
+      # core extensions to the numeric classes.
+      #
+      # @example
+      #   # bad
+      #   3.day.ago
+      #   1.months.ago
+      #
+      #   # good
+      #   3.days.ago
+      #   1.month.ago
+      class PluralizationGrammar < Cop
+        SINGULAR_DURATION_METHODS = { second: :seconds,
+                                      minute: :minutes,
+                                      hour: :hours,
+                                      day: :days,
+                                      week: :weeks,
+                                      fortnight: :fortnights,
+                                      month: :months,
+                                      year: :years }.freeze
+
+        PLURAL_DURATION_METHODS = SINGULAR_DURATION_METHODS.invert.freeze
+
+        MSG = 'Prefer `%<number>s.%<correct>s`.'
+
+        def on_send(node)
+          return unless duration_method?(node.method_name)
+          return unless literal_number?(node.receiver)
+
+          return unless offense?(node)
+
+          add_offense(node)
+        end
+
+        def autocorrect(node)
+          lambda do |corrector|
+            method_name = node.loc.selector.source
+
+            corrector.replace(node.loc.selector, correct_method(method_name))
+          end
+        end
+
+        private
+
+        def message(node)
+          number, = *node.receiver
+
+          format(MSG, number: number,
+                      correct: correct_method(node.method_name.to_s))
+        end
+
+        def correct_method(method_name)
+          if plural_method?(method_name)
+            singularize(method_name)
+          else
+            pluralize(method_name)
+          end
+        end
+
+        def offense?(node)
+          number, = *node.receiver
+
+          singular_receiver?(number) && plural_method?(node.method_name) ||
+            plural_receiver?(number) && singular_method?(node.method_name)
+        end
+
+        def plural_method?(method_name)
+          method_name.to_s.end_with?('s')
+        end
+
+        def singular_method?(method_name)
+          !plural_method?(method_name)
+        end
+
+        def singular_receiver?(number)
+          number.abs == 1
+        end
+
+        def plural_receiver?(number)
+          !singular_receiver?(number)
+        end
+
+        def literal_number?(node)
+          node && (node.int_type? || node.float_type?)
+        end
+
+        def pluralize(method_name)
+          SINGULAR_DURATION_METHODS.fetch(method_name.to_sym).to_s
+        end
+
+        def singularize(method_name)
+          PLURAL_DURATION_METHODS.fetch(method_name.to_sym).to_s
+        end
+
+        def duration_method?(method_name)
+          SINGULAR_DURATION_METHODS.key?(method_name) ||
+            PLURAL_DURATION_METHODS.key?(method_name)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/presence.rb

@@ -0,0 +1,148 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks code that can be written more easily using
+      # `Object#presence` defined by Active Support.
+      #
+      # @example
+      #   # bad
+      #   a.present? ? a : nil
+      #
+      #   # bad
+      #   !a.present? ? nil : a
+      #
+      #   # bad
+      #   a.blank? ? nil : a
+      #
+      #   # bad
+      #   !a.blank? ? a : nil
+      #
+      #   # good
+      #   a.presence
+      #
+      # @example
+      #   # bad
+      #   a.present? ? a : b
+      #
+      #   # bad
+      #   !a.present? ? b : a
+      #
+      #   # bad
+      #   a.blank? ? b : a
+      #
+      #   # bad
+      #   !a.blank? ? a : b
+      #
+      #   # good
+      #   a.presence || b
+      class Presence < Cop
+        include RangeHelp
+
+        MSG = 'Use `%<prefer>s` instead of `%<current>s`.'
+
+        def_node_matcher :redundant_receiver_and_other, <<~PATTERN
+          {
+            (if
+              (send $_recv :present?)
+              _recv
+              $!begin
+            )
+            (if
+              (send $_recv :blank?)
+              $!begin
+              _recv
+            )
+          }
+        PATTERN
+
+        def_node_matcher :redundant_negative_receiver_and_other, <<~PATTERN
+          {
+            (if
+              (send (send $_recv :present?) :!)
+              $!begin
+              _recv
+            )
+            (if
+              (send (send $_recv :blank?) :!)
+              _recv
+              $!begin
+            )
+          }
+        PATTERN
+
+        def on_if(node)
+          return if ignore_if_node?(node)
+
+          redundant_receiver_and_other(node) do |receiver, other|
+            unless ignore_other_node?(other) || receiver.nil?
+              add_offense(node, message: message(node, receiver, other))
+            end
+          end
+
+          redundant_negative_receiver_and_other(node) do |receiver, other|
+            unless ignore_other_node?(other) || receiver.nil?
+              add_offense(node, message: message(node, receiver, other))
+            end
+          end
+        end
+
+        def autocorrect(node)
+          lambda do |corrector|
+            redundant_receiver_and_other(node) do |receiver, other|
+              corrector.replace(node.source_range, replacement(receiver, other))
+            end
+
+            redundant_negative_receiver_and_other(node) do |receiver, other|
+              corrector.replace(node.source_range, replacement(receiver, other))
+            end
+          end
+        end
+
+        private
+
+        def ignore_if_node?(node)
+          node.elsif?
+        end
+
+        def ignore_other_node?(node)
+          node && (node.if_type? || node.rescue_type? || node.while_type?)
+        end
+
+        def message(node, receiver, other)
+          format(MSG,
+                 prefer: replacement(receiver, other),
+                 current: node.source)
+        end
+
+        def replacement(receiver, other)
+          or_source = if other&.send_type?
+                        build_source_for_or_method(other)
+                      elsif other.nil? || other.nil_type?
+                        ''
+                      else
+                        " || #{other.source}"
+                      end
+
+          "#{receiver.source}.presence" + or_source
+        end
+
+        def build_source_for_or_method(other)
+          if other.parenthesized? || other.method?('[]') || !other.arguments?
+            " || #{other.source}"
+          else
+            method = range_between(
+              other.source_range.begin_pos,
+              other.first_argument.source_range.begin_pos - 1
+            ).source
+
+            arguments = other.arguments.map(&:source).join(', ')
+
+            " || #{method}(#{arguments})"
+          end
+        end
+      end
+    end
+  end
+end