rubocop-vendor 0.10.0 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a33862f683a309f1600a568b4eeb7b4f52e5eed2bd2ea5fede18abaf9d561e8
-  data.tar.gz: c82795011f42d2defeda94fc5449a0dc5467e4d98989fbe7fa3b900e13fc3d68
+  metadata.gz: 5e8a207496eb8ecac737af481053083a942d3ad3bbbdabe19c0786afbabff226
+  data.tar.gz: 0636c9d456890e9ff0cbf0dd58844d9d84d0b9720c52f242d993a45d06d7562f
 SHA512:
-  metadata.gz: 424caf7dec430127f8e22d628094c5e133c71c8d6eee4fb4511a6bad1ac4fa6cfc8e1cd1d7a6f00caa0828f20662216569c992b5637590b17ebf43f462674d23
-  data.tar.gz: 5fbe0dac05a5d3e43a08c194e5889d7bf4f062fba87bc3405791a090d06f1d611a108e8f5c8c3eb848a5c38860187d4e14fecef04b819a459941abcafa8c78aa
+  metadata.gz: 9b9fd407aace500ee8a51d024e476213cc4a525d2f18f413059ba32c76d418d79407c1d421550de51ebcda4543b7396a42b9e95a73497a39c4e4a5f0e8ac2104
+  data.tar.gz: 45aa5f974f41e6e8ce97f58366ca5c98e981861edf5aaac45f3653abe03a9b1d80c6e8f1b2ed74a6c06b6454f5bcb3c7ed98b6417fa868663e09db154d499926

data/lib/rubocop/cop/vendor/active_record_connection_execute.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Vendor
+      # This cop checks for `ActiveRecord::Connection#execute` usage and suggests
+      # using non-manually memory managed objects instead.
+      #
+      # The main reason for this is this is a common way to leak memory in a Ruby on Rails application.
+      # see {
+      # https://github.com/rails/rails/blob/a19b13b61f7af612569943ec7d536185cbec875c/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb#L127
+      # ActiveRecord documentation
+      # }.
+      #
+      # @example
+      #   # bad
+      #   ActiveRecord::Base.connection.execute('SELECT * FROM users')
+      #   ApplicationRecord.connection.execute('SELECT * FROM users')
+      #   User.connection.execute('SELECT * FROM users')
+      #
+      #   # good
+      #   ActiveRecord::Base.connection.select_all('SELECT * FROM users')
+      #   ApplicationRecord.connection.select_all('SELECT * FROM users')
+      #   User.connection.select_all('SELECT * FROM users')
+      #
+      class ActiveRecordConnectionExecute < Base
+        MSG = <<-STR.strip
+          Use of `ActiveRecord::Connection#execute` returns manually memory managed object, consider using `select_one`, `select_all`, `insert`, `update`, `delete`. If necessary, you can also use `exec_query`, `exec_insert`, `exec_update`, `exec_delete`.
+        STR
+
+        # @!method connection_execute_method_call?(node)
+        def_node_matcher :connection_execute_method_call?, <<-PATTERN
+          (send (send _ :connection) :execute ...)
+        PATTERN
+
+        def on_send(node)
+          return unless connection_execute_method_call?(node)
+
+          add_offense(node)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'parser/current'
+
+module RuboCop
+  module Cop
+    module Vendor
+      # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage
+      # where the array format is used, but it contains (probably not) intended slashes.
+      # These slashes will be converted to %2f instead of a path component.
+      #
+      # @example
+      #   # bad
+      #   Ws::AccountService.post(["/test/foo"]) # forward flash will be converted to %2f
+      #
+      #   # good
+      #   Ws::AccountService.post(["test", "foo"])
+      #
+      class WsSdkPathArraySlash < Base
+        extend AutoCorrector
+
+        MSG = <<-STR.strip
+          When switching to array arguments, you must put each path component individually
+        STR
+        HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
+
+        # @!method ws_sdk_service_call?(node)
+        def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
+          (send (const (const _ :Ws) _) %method $...)
+        PATTERN
+
+        def on_send(node)
+          path, = ws_sdk_service_call?(node)
+          return unless path&.array_type?
+
+          strings_with_slash = path.children.select { |n| n.str_type? && n.value.include?('/') }
+
+          strings_with_slash.each do |str_node|
+            add_offense(str_node) do |corrector|
+              correct_path(corrector, path)
+            end
+          end
+        end
+
+        private
+
+        def correct_path(corrector, path)
+          parts =
+            path.children.flat_map do |child|
+              if child.str_type? && child.value.include?('/')
+                child.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
+              else
+                [child.source]
+              end
+            end
+          corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/vendor/ws_sdk_path_injection.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'parser/current'
+
+module RuboCop
+  module Cop
+    module Vendor
+      # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage and suggests to use component based paths
+      # instead of using interpolated values that could be user input.
+      #
+      # This is to avoid path injection, a potential security vulnerability!
+      #
+      # @example
+      #   # bad
+      #   # could post to /api/accounts with same credentials (e.g. by passing "?" as account_id)
+      #   Ws::AccountService.post("/api/accounts/#{account_id}/details")
+      #
+      #   # good
+      #   Ws::AccountService.post(["api","accounts", account_id, "details"])
+      #
+      #   # okay, but prefer above
+      #   Ws::AccountService.post("/api/accounts/#{URI.encode_www_component(account_id)}")
+      #
+      class WsSdkPathInjection < Base
+        extend AutoCorrector
+
+        MSG = <<-STR.strip
+          Use of paths with interpolated values is dangerous, as path injection can occur; prefer to use array of each path component
+        STR
+        HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
+
+        # @!method ws_sdk_service_call?(node)
+        def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
+          (send (const (const _ :Ws) _) %method $...)
+        PATTERN
+
+        def on_send(node)
+          return unless self.class.ws_sdk_supports_arrays?
+
+          path, = ws_sdk_service_call?(node)
+          return unless path && path.type != :array
+
+          add_offense(path) do |corrector|
+            correct_path(corrector, path)
+          end
+        end
+
+        def self.ws_sdk_supports_arrays?
+          version = Gem.loaded_specs['ws-sdk']&.version
+          version && version >= Gem::Version.new('13.3.0')
+        end
+
+        private
+
+        def correct_path(corrector, path)
+          parts =
+            if path.send_type?
+              [path.source]
+            else
+              convert_str_path_to_source(path)
+            end
+          return unless parts # conversion to parts failed, cannot auto-correct
+
+          corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
+        end
+
+        def convert_str_path_to_source(path)
+          path.children.flat_map do |child|
+            case child&.type
+            when :str
+              convert_str_node_to_array_source(child)
+            when :begin # begin interpolation
+              child.children.first.source
+            when :send
+              child.source
+            else
+              break # do not know how to auto-correct other types
+            end
+          end
+        end
+
+        def convert_str_node_to_array_source(node)
+          node.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/vendor_cops.rb

@@ -3,6 +3,7 @@
 module RuboCop
 end
 
+require_relative 'vendor/active_record_connection_execute'
 require_relative 'vendor/recursive_open_struct_gem'
 require_relative 'vendor/sidekiq_throttled_gem'
 require_relative 'vendor/recursive_open_struct_use'
@@ -12,3 +13,5 @@ require_relative 'vendor/rollbar_log'
 require_relative 'vendor/rollbar_logger'
 require_relative 'vendor/rollbar_with_exception'
 require_relative 'vendor/strict_dry_struct'
+require_relative 'vendor/ws_sdk_path_array_slash'
+require_relative 'vendor/ws_sdk_path_injection'

data/lib/rubocop/vendor/version.rb

@@ -2,6 +2,6 @@
 
 module RuboCop
   module Vendor
-    VERSION = '0.10.0'
+    VERSION = '0.12.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-vendor
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.12.0
 platform: ruby
 authors:
 - Danilo Cabello
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-26 00:00:00.000000000 Z
+date: 2023-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -82,6 +82,7 @@ files:
 - README.md
 - config/default.yml
 - lib/rubocop-vendor.rb
+- lib/rubocop/cop/vendor/active_record_connection_execute.rb
 - lib/rubocop/cop/vendor/base.rb
 - lib/rubocop/cop/vendor/recursive_open_struct_gem.rb
 - lib/rubocop/cop/vendor/recursive_open_struct_use.rb
@@ -92,6 +93,8 @@ files:
 - lib/rubocop/cop/vendor/rollbar_with_exception.rb
 - lib/rubocop/cop/vendor/sidekiq_throttled_gem.rb
 - lib/rubocop/cop/vendor/strict_dry_struct.rb
+- lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb
+- lib/rubocop/cop/vendor/ws_sdk_path_injection.rb
 - lib/rubocop/cop/vendor_cops.rb
 - lib/rubocop/vendor.rb
 - lib/rubocop/vendor/inject.rb