rubocop-vendor 0.10.0 → 0.12.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 0a33862f683a309f1600a568b4eeb7b4f52e5eed2bd2ea5fede18abaf9d561e8
4
- data.tar.gz: c82795011f42d2defeda94fc5449a0dc5467e4d98989fbe7fa3b900e13fc3d68
3
+ metadata.gz: 5e8a207496eb8ecac737af481053083a942d3ad3bbbdabe19c0786afbabff226
4
+ data.tar.gz: 0636c9d456890e9ff0cbf0dd58844d9d84d0b9720c52f242d993a45d06d7562f
5
5
  SHA512:
6
- metadata.gz: 424caf7dec430127f8e22d628094c5e133c71c8d6eee4fb4511a6bad1ac4fa6cfc8e1cd1d7a6f00caa0828f20662216569c992b5637590b17ebf43f462674d23
7
- data.tar.gz: 5fbe0dac05a5d3e43a08c194e5889d7bf4f062fba87bc3405791a090d06f1d611a108e8f5c8c3eb848a5c38860187d4e14fecef04b819a459941abcafa8c78aa
6
+ metadata.gz: 9b9fd407aace500ee8a51d024e476213cc4a525d2f18f413059ba32c76d418d79407c1d421550de51ebcda4543b7396a42b9e95a73497a39c4e4a5f0e8ac2104
7
+ data.tar.gz: 45aa5f974f41e6e8ce97f58366ca5c98e981861edf5aaac45f3653abe03a9b1d80c6e8f1b2ed74a6c06b6454f5bcb3c7ed98b6417fa868663e09db154d499926
@@ -0,0 +1,44 @@
1
+ # frozen_string_literal: true
2
+
3
+ module RuboCop
4
+ module Cop
5
+ module Vendor
6
+ # This cop checks for `ActiveRecord::Connection#execute` usage and suggests
7
+ # using non-manually memory managed objects instead.
8
+ #
9
+ # The main reason for this is this is a common way to leak memory in a Ruby on Rails application.
10
+ # see {
11
+ # https://github.com/rails/rails/blob/a19b13b61f7af612569943ec7d536185cbec875c/activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb#L127
12
+ # ActiveRecord documentation
13
+ # }.
14
+ #
15
+ # @example
16
+ # # bad
17
+ # ActiveRecord::Base.connection.execute('SELECT * FROM users')
18
+ # ApplicationRecord.connection.execute('SELECT * FROM users')
19
+ # User.connection.execute('SELECT * FROM users')
20
+ #
21
+ # # good
22
+ # ActiveRecord::Base.connection.select_all('SELECT * FROM users')
23
+ # ApplicationRecord.connection.select_all('SELECT * FROM users')
24
+ # User.connection.select_all('SELECT * FROM users')
25
+ #
26
+ class ActiveRecordConnectionExecute < Base
27
+ MSG = <<-STR.strip
28
+ Use of `ActiveRecord::Connection#execute` returns manually memory managed object, consider using `select_one`, `select_all`, `insert`, `update`, `delete`. If necessary, you can also use `exec_query`, `exec_insert`, `exec_update`, `exec_delete`.
29
+ STR
30
+
31
+ # @!method connection_execute_method_call?(node)
32
+ def_node_matcher :connection_execute_method_call?, <<-PATTERN
33
+ (send (send _ :connection) :execute ...)
34
+ PATTERN
35
+
36
+ def on_send(node)
37
+ return unless connection_execute_method_call?(node)
38
+
39
+ add_offense(node)
40
+ end
41
+ end
42
+ end
43
+ end
44
+ end
@@ -0,0 +1,61 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'parser/current'
4
+
5
+ module RuboCop
6
+ module Cop
7
+ module Vendor
8
+ # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage
9
+ # where the array format is used, but it contains (probably not) intended slashes.
10
+ # These slashes will be converted to %2f instead of a path component.
11
+ #
12
+ # @example
13
+ # # bad
14
+ # Ws::AccountService.post(["/test/foo"]) # forward flash will be converted to %2f
15
+ #
16
+ # # good
17
+ # Ws::AccountService.post(["test", "foo"])
18
+ #
19
+ class WsSdkPathArraySlash < Base
20
+ extend AutoCorrector
21
+
22
+ MSG = <<-STR.strip
23
+ When switching to array arguments, you must put each path component individually
24
+ STR
25
+ HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
26
+
27
+ # @!method ws_sdk_service_call?(node)
28
+ def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
29
+ (send (const (const _ :Ws) _) %method $...)
30
+ PATTERN
31
+
32
+ def on_send(node)
33
+ path, = ws_sdk_service_call?(node)
34
+ return unless path&.array_type?
35
+
36
+ strings_with_slash = path.children.select { |n| n.str_type? && n.value.include?('/') }
37
+
38
+ strings_with_slash.each do |str_node|
39
+ add_offense(str_node) do |corrector|
40
+ correct_path(corrector, path)
41
+ end
42
+ end
43
+ end
44
+
45
+ private
46
+
47
+ def correct_path(corrector, path)
48
+ parts =
49
+ path.children.flat_map do |child|
50
+ if child.str_type? && child.value.include?('/')
51
+ child.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
52
+ else
53
+ [child.source]
54
+ end
55
+ end
56
+ corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
57
+ end
58
+ end
59
+ end
60
+ end
61
+ end
@@ -0,0 +1,88 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'parser/current'
4
+
5
+ module RuboCop
6
+ module Cop
7
+ module Vendor
8
+ # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage and suggests to use component based paths
9
+ # instead of using interpolated values that could be user input.
10
+ #
11
+ # This is to avoid path injection, a potential security vulnerability!
12
+ #
13
+ # @example
14
+ # # bad
15
+ # # could post to /api/accounts with same credentials (e.g. by passing "?" as account_id)
16
+ # Ws::AccountService.post("/api/accounts/#{account_id}/details")
17
+ #
18
+ # # good
19
+ # Ws::AccountService.post(["api","accounts", account_id, "details"])
20
+ #
21
+ # # okay, but prefer above
22
+ # Ws::AccountService.post("/api/accounts/#{URI.encode_www_component(account_id)}")
23
+ #
24
+ class WsSdkPathInjection < Base
25
+ extend AutoCorrector
26
+
27
+ MSG = <<-STR.strip
28
+ Use of paths with interpolated values is dangerous, as path injection can occur; prefer to use array of each path component
29
+ STR
30
+ HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
31
+
32
+ # @!method ws_sdk_service_call?(node)
33
+ def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
34
+ (send (const (const _ :Ws) _) %method $...)
35
+ PATTERN
36
+
37
+ def on_send(node)
38
+ return unless self.class.ws_sdk_supports_arrays?
39
+
40
+ path, = ws_sdk_service_call?(node)
41
+ return unless path && path.type != :array
42
+
43
+ add_offense(path) do |corrector|
44
+ correct_path(corrector, path)
45
+ end
46
+ end
47
+
48
+ def self.ws_sdk_supports_arrays?
49
+ version = Gem.loaded_specs['ws-sdk']&.version
50
+ version && version >= Gem::Version.new('13.3.0')
51
+ end
52
+
53
+ private
54
+
55
+ def correct_path(corrector, path)
56
+ parts =
57
+ if path.send_type?
58
+ [path.source]
59
+ else
60
+ convert_str_path_to_source(path)
61
+ end
62
+ return unless parts # conversion to parts failed, cannot auto-correct
63
+
64
+ corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
65
+ end
66
+
67
+ def convert_str_path_to_source(path)
68
+ path.children.flat_map do |child|
69
+ case child&.type
70
+ when :str
71
+ convert_str_node_to_array_source(child)
72
+ when :begin # begin interpolation
73
+ child.children.first.source
74
+ when :send
75
+ child.source
76
+ else
77
+ break # do not know how to auto-correct other types
78
+ end
79
+ end
80
+ end
81
+
82
+ def convert_str_node_to_array_source(node)
83
+ node.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
84
+ end
85
+ end
86
+ end
87
+ end
88
+ end
@@ -3,6 +3,7 @@
3
3
  module RuboCop
4
4
  end
5
5
 
6
+ require_relative 'vendor/active_record_connection_execute'
6
7
  require_relative 'vendor/recursive_open_struct_gem'
7
8
  require_relative 'vendor/sidekiq_throttled_gem'
8
9
  require_relative 'vendor/recursive_open_struct_use'
@@ -12,3 +13,5 @@ require_relative 'vendor/rollbar_log'
12
13
  require_relative 'vendor/rollbar_logger'
13
14
  require_relative 'vendor/rollbar_with_exception'
14
15
  require_relative 'vendor/strict_dry_struct'
16
+ require_relative 'vendor/ws_sdk_path_array_slash'
17
+ require_relative 'vendor/ws_sdk_path_injection'
@@ -2,6 +2,6 @@
2
2
 
3
3
  module RuboCop
4
4
  module Vendor
5
- VERSION = '0.10.0'
5
+ VERSION = '0.12.0'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubocop-vendor
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.10.0
4
+ version: 0.12.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Danilo Cabello
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2023-05-26 00:00:00.000000000 Z
13
+ date: 2023-08-01 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: rubocop
@@ -82,6 +82,7 @@ files:
82
82
  - README.md
83
83
  - config/default.yml
84
84
  - lib/rubocop-vendor.rb
85
+ - lib/rubocop/cop/vendor/active_record_connection_execute.rb
85
86
  - lib/rubocop/cop/vendor/base.rb
86
87
  - lib/rubocop/cop/vendor/recursive_open_struct_gem.rb
87
88
  - lib/rubocop/cop/vendor/recursive_open_struct_use.rb
@@ -92,6 +93,8 @@ files:
92
93
  - lib/rubocop/cop/vendor/rollbar_with_exception.rb
93
94
  - lib/rubocop/cop/vendor/sidekiq_throttled_gem.rb
94
95
  - lib/rubocop/cop/vendor/strict_dry_struct.rb
96
+ - lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb
97
+ - lib/rubocop/cop/vendor/ws_sdk_path_injection.rb
95
98
  - lib/rubocop/cop/vendor_cops.rb
96
99
  - lib/rubocop/vendor.rb
97
100
  - lib/rubocop/vendor/inject.rb