rubocop-rails 2.0.0

data/lib/rubocop/cop/rails/lexically_scoped_action_filter.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks that methods specified in the filter's `only` or
+      # `except` options are defined within the same class or module.
+      #
+      # You can technically specify methods of superclass or methods added by
+      # mixins on the filter, but these can confuse developers. If you specify
+      # methods that are defined in other classes or modules, you should
+      # define the filter in that class or module.
+      #
+      # If you rely on behaviour defined in the superclass actions, you must
+      # remember to invoke `super` in the subclass actions.
+      #
+      # @example
+      #   # bad
+      #   class LoginController < ApplicationController
+      #     before_action :require_login, only: %i[index settings logout]
+      #
+      #     def index
+      #     end
+      #   end
+      #
+      #   # good
+      #   class LoginController < ApplicationController
+      #     before_action :require_login, only: %i[index settings logout]
+      #
+      #     def index
+      #     end
+      #
+      #     def settings
+      #     end
+      #
+      #     def logout
+      #     end
+      #   end
+      #
+      # @example
+      #   # bad
+      #   module FooMixin
+      #     extend ActiveSupport::Concern
+      #
+      #     included do
+      #       before_action proc { authenticate }, only: :foo
+      #     end
+      #   end
+      #
+      #   # good
+      #   module FooMixin
+      #     extend ActiveSupport::Concern
+      #
+      #     included do
+      #       before_action proc { authenticate }, only: :foo
+      #     end
+      #
+      #     def foo
+      #       # something
+      #     end
+      #   end
+      #
+      # @example
+      #   class ContentController < ApplicationController
+      #     def update
+      #       @content.update(content_attributes)
+      #     end
+      #   end
+      #
+      #   class ArticlesController < ContentController
+      #     before_action :load_article, only: [:update]
+      #
+      #     # the cop requires this method, but it relies on behaviour defined
+      #     # in the superclass, so needs to invoke `super`
+      #     def update
+      #       super
+      #     end
+      #
+      #     private
+      #
+      #     def load_article
+      #       @content = Article.find(params[:article_id])
+      #     end
+      #   end
+      class LexicallyScopedActionFilter < Cop
+        MSG = '%<action>s not explicitly defined on the %<type>s.'
+
+        FILTERS = %w[
+          :after_action
+          :append_after_action
+          :append_around_action
+          :append_before_action
+          :around_action
+          :before_action
+          :prepend_after_action
+          :prepend_around_action
+          :prepend_before_action
+          :skip_after_action
+          :skip_around_action
+          :skip_before_action
+          :skip_action_callback
+        ].freeze
+
+        def_node_matcher :only_or_except_filter_methods, <<-PATTERN
+          (send
+            nil?
+            {#{FILTERS.join(' ')}}
+            _
+            (hash
+              (pair
+                (sym {:only :except})
+                $_)))
+        PATTERN
+
+        def on_send(node)
+          methods_node = only_or_except_filter_methods(node)
+          return unless methods_node
+
+          parent = node.each_ancestor(:class, :module).first
+          return unless parent
+
+          block = parent.each_child_node(:begin).first
+          return unless block
+
+          defined_methods = block.each_child_node(:def).map(&:method_name)
+          methods = array_values(methods_node).reject do |method|
+            defined_methods.include?(method)
+          end
+
+          message = message(methods, parent)
+          add_offense(node, message: message) unless methods.empty?
+        end
+
+        private
+
+        # @param node [RuboCop::AST::Node]
+        # @return [Array<Symbol>]
+        def array_values(node) # rubocop:disable Metrics/MethodLength
+          case node.type
+          when :str
+            [node.str_content.to_sym]
+          when :sym
+            [node.value]
+          when :array
+            node.values.map do |v|
+              case v.type
+              when :str
+                v.str_content.to_sym
+              when :sym
+                v.value
+              end
+            end.compact
+          else
+            []
+          end
+        end
+
+        # @param methods [Array<String>]
+        # @param parent [RuboCop::AST::Node]
+        # @return [String]
+        def message(methods, parent)
+          if methods.size == 1
+            format(MSG,
+                   action: "`#{methods[0]}` is",
+                   type: parent.type)
+          else
+            format(MSG,
+                   action: "`#{methods.join('`, `')}` are",
+                   type: parent.type)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/link_to_blank.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for calls to `link_to` that contain a
+      # `target: '_blank'` but no `rel: 'noopener'`. This can be a security
+      # risk as the loaded page will have control over the previous page
+      # and could change its location for phishing purposes.
+      #
+      # The option `rel: 'noreferrer'` also blocks this behavior
+      # and removes the http-referrer header.
+      #
+      # @example
+      #   # bad
+      #   link_to 'Click here', url, target: '_blank'
+      #
+      #   # good
+      #   link_to 'Click here', url, target: '_blank', rel: 'noopener'
+      #
+      #   # good
+      #   link_to 'Click here', url, target: '_blank', rel: 'noreferrer'
+      class LinkToBlank < Cop
+        MSG = 'Specify a `:rel` option containing noopener.'
+
+        def_node_matcher :blank_target?, <<-PATTERN
+          (pair {(sym :target) (str "target")} {(str "_blank") (sym :_blank)})
+        PATTERN
+
+        def_node_matcher :includes_noopener?, <<-PATTERN
+          (pair {(sym :rel) (str "rel")} ({str sym} #contains_noopener?))
+        PATTERN
+
+        def_node_matcher :rel_node?, <<-PATTERN
+          (pair {(sym :rel) (str "rel")} (str _))
+        PATTERN
+
+        def on_send(node)
+          return unless node.method?(:link_to)
+
+          option_nodes = node.each_child_node(:hash)
+
+          option_nodes.map(&:children).each do |options|
+            blank = options.find { |o| blank_target?(o) }
+            if blank && options.none? { |o| includes_noopener?(o) }
+              add_offense(blank)
+            end
+          end
+        end
+
+        def autocorrect(node)
+          lambda do |corrector|
+            send_node = node.parent.parent
+
+            option_nodes = send_node.each_child_node(:hash)
+            rel_node = nil
+            option_nodes.map(&:children).each do |options|
+              rel_node ||= options.find { |o| rel_node?(o) }
+            end
+
+            if rel_node
+              append_to_rel(rel_node, corrector)
+            else
+              add_rel(send_node, node, corrector)
+            end
+          end
+        end
+
+        private
+
+        def append_to_rel(rel_node, corrector)
+          existing_rel = rel_node.children.last.value
+          str_range = rel_node.children.last.loc.expression.adjust(
+            begin_pos: 1,
+            end_pos: -1
+          )
+          corrector.replace(str_range, "#{existing_rel} noopener")
+        end
+
+        def add_rel(send_node, offence_node, corrector)
+          opening_quote = offence_node.children.last.source[0]
+          closing_quote = opening_quote == ':' ? '' : opening_quote
+          new_rel_exp = ", rel: #{opening_quote}noopener#{closing_quote}"
+          range = send_node.arguments.last.source_range
+
+          corrector.insert_after(range, new_rel_exp)
+        end
+
+        def contains_noopener?(value)
+          return false unless value
+
+          rel_array = value.to_s.split(' ')
+          rel_array.include?('noopener') || rel_array.include?('noreferrer')
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/not_null_column.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for add_column call with NOT NULL constraint
+      # in migration file.
+      #
+      # @example
+      #   # bad
+      #   add_column :users, :name, :string, null: false
+      #   add_reference :products, :category, null: false
+      #
+      #   # good
+      #   add_column :users, :name, :string, null: true
+      #   add_column :users, :name, :string, null: false, default: ''
+      #   add_reference :products, :category
+      #   add_reference :products, :category, null: false, default: 1
+      class NotNullColumn < Cop
+        MSG = 'Do not add a NOT NULL column without a default value.'
+
+        def_node_matcher :add_not_null_column?, <<-PATTERN
+          (send nil? :add_column _ _ _ (hash $...))
+        PATTERN
+
+        def_node_matcher :add_not_null_reference?, <<-PATTERN
+          (send nil? :add_reference _ _ (hash $...))
+        PATTERN
+
+        def_node_matcher :null_false?, <<-PATTERN
+          (pair (sym :null) (false))
+        PATTERN
+
+        def_node_matcher :default_option?, <<-PATTERN
+          (pair (sym :default) !nil)
+        PATTERN
+
+        def on_send(node)
+          check_add_column(node)
+          check_add_reference(node)
+        end
+
+        private
+
+        def check_add_column(node)
+          pairs = add_not_null_column?(node)
+          check_pairs(pairs)
+        end
+
+        def check_add_reference(node)
+          pairs = add_not_null_reference?(node)
+          check_pairs(pairs)
+        end
+
+        def check_pairs(pairs)
+          return unless pairs
+          return if pairs.any? { |pair| default_option?(pair) }
+
+          null_false = pairs.find { |pair| null_false?(pair) }
+          return unless null_false
+
+          add_offense(null_false)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/output.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for the use of output calls like puts and print
+      #
+      # @example
+      #   # bad
+      #   puts 'A debug message'
+      #   pp 'A debug message'
+      #   print 'A debug message'
+      #
+      #   # good
+      #   Rails.logger.debug 'A debug message'
+      class Output < Cop
+        MSG = 'Do not write to stdout. ' \
+              "Use Rails's logger if you want to log."
+
+        def_node_matcher :output?, <<-PATTERN
+          (send nil? {:ap :p :pp :pretty_print :print :puts} ...)
+        PATTERN
+
+        def_node_matcher :io_output?, <<-PATTERN
+          (send
+            {
+              (gvar #match_gvar?)
+              {(const nil? :STDOUT) (const nil? :STDERR)}
+            }
+            {:binwrite :syswrite :write :write_nonblock}
+            ...)
+        PATTERN
+
+        def on_send(node)
+          return unless (output?(node) || io_output?(node)) &&
+                        node.arguments?
+
+          add_offense(node, location: :selector)
+        end
+
+        private
+
+        def match_gvar?(sym)
+          %i[$stdout $stderr].include?(sym)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/rails/output_safety.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Rails
+      # This cop checks for the use of output safety calls like `html_safe`,
+      # `raw`, and `safe_concat`. These methods do not escape content. They
+      # simply return a SafeBuffer containing the content as is. Instead,
+      # use `safe_join` to join content and escape it and concat to
+      # concatenate content and escape it, ensuring its safety.
+      #
+      # @example
+      #   user_content = "<b>hi</b>"
+      #
+      #   # bad
+      #   "<p>#{user_content}</p>".html_safe
+      #   # => ActiveSupport::SafeBuffer "<p><b>hi</b></p>"
+      #
+      #   # good
+      #   content_tag(:p, user_content)
+      #   # => ActiveSupport::SafeBuffer "<p>&lt;b&gt;hi&lt;/b&gt;</p>"
+      #
+      #   # bad
+      #   out = ""
+      #   out << "<li>#{user_content}</li>"
+      #   out << "<li>#{user_content}</li>"
+      #   out.html_safe
+      #   # => ActiveSupport::SafeBuffer "<li><b>hi</b></li><li><b>hi</b></li>"
+      #
+      #   # good
+      #   out = []
+      #   out << content_tag(:li, user_content)
+      #   out << content_tag(:li, user_content)
+      #   safe_join(out)
+      #   # => ActiveSupport::SafeBuffer
+      #   #    "<li>&lt;b&gt;hi&lt;/b&gt;</li><li>&lt;b&gt;hi&lt;/b&gt;</li>"
+      #
+      #   # bad
+      #   out = "<h1>trusted content</h1>".html_safe
+      #   out.safe_concat(user_content)
+      #   # => ActiveSupport::SafeBuffer "<h1>trusted_content</h1><b>hi</b>"
+      #
+      #   # good
+      #   out = "<h1>trusted content</h1>".html_safe
+      #   out.concat(user_content)
+      #   # => ActiveSupport::SafeBuffer
+      #   #    "<h1>trusted_content</h1>&lt;b&gt;hi&lt;/b&gt;"
+      #
+      #   # safe, though maybe not good style
+      #   out = "trusted content"
+      #   result = out.concat(user_content)
+      #   # => String "trusted content<b>hi</b>"
+      #   # because when rendered in ERB the String will be escaped:
+      #   # <%= result %>
+      #   # => trusted content&lt;b&gt;hi&lt;/b&gt;
+      #
+      #   # bad
+      #   (user_content + " " + content_tag(:span, user_content)).html_safe
+      #   # => ActiveSupport::SafeBuffer "<b>hi</b> <span><b>hi</b></span>"
+      #
+      #   # good
+      #   safe_join([user_content, " ", content_tag(:span, user_content)])
+      #   # => ActiveSupport::SafeBuffer
+      #   #    "&lt;b&gt;hi&lt;/b&gt; <span>&lt;b&gt;hi&lt;/b&gt;</span>"
+      class OutputSafety < Cop
+        MSG = 'Tagging a string as html safe may be a security risk.'
+
+        def on_send(node)
+          return if non_interpolated_string?(node)
+
+          return unless looks_like_rails_html_safe?(node) ||
+                        looks_like_rails_raw?(node) ||
+                        looks_like_rails_safe_concat?(node)
+
+          add_offense(node, location: :selector)
+        end
+        alias on_csend on_send
+
+        private
+
+        def non_interpolated_string?(node)
+          node.receiver&.str_type? && !node.receiver.dstr_type?
+        end
+
+        def looks_like_rails_html_safe?(node)
+          node.receiver && node.method?(:html_safe) && !node.arguments?
+        end
+
+        def looks_like_rails_raw?(node)
+          node.command?(:raw) && node.arguments.one?
+        end
+
+        def looks_like_rails_safe_concat?(node)
+          node.method?(:safe_concat) && node.arguments.one?
+        end
+      end
+    end
+  end
+end