rubocop-vendor 0.11.0 → 0.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f69fd94e8d9429fec0334913a5d2bcfa8f2e2873e777ec17879a37d0ca044eb6
4
- data.tar.gz: 6a012a6071337d04d50cefd51ddc07c63abe07f96f70eae9acd094e9a8d8ee27
3
+ metadata.gz: 5e8a207496eb8ecac737af481053083a942d3ad3bbbdabe19c0786afbabff226
4
+ data.tar.gz: 0636c9d456890e9ff0cbf0dd58844d9d84d0b9720c52f242d993a45d06d7562f
5
5
  SHA512:
6
- metadata.gz: 6406158144116b3cc61af8e30c8e68c2285073b8eb5ed0ed2fba58f7570a3c5d73732a1ed331beb1333957e08606228faefc1bd1803fdac34d2ab903015d8008
7
- data.tar.gz: 470e41a804dba4c86ac1b8654a2204fdf4de33dec852d1c185e98b9fbc2f509cf28e7eec4a7fed575374c0cf23cc45cb19ffb30abc2caa6fb89f9b4898c0730d
6
+ metadata.gz: 9b9fd407aace500ee8a51d024e476213cc4a525d2f18f413059ba32c76d418d79407c1d421550de51ebcda4543b7396a42b9e95a73497a39c4e4a5f0e8ac2104
7
+ data.tar.gz: 45aa5f974f41e6e8ce97f58366ca5c98e981861edf5aaac45f3653abe03a9b1d80c6e8f1b2ed74a6c06b6454f5bcb3c7ed98b6417fa868663e09db154d499926
@@ -0,0 +1,61 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'parser/current'
4
+
5
+ module RuboCop
6
+ module Cop
7
+ module Vendor
8
+ # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage
9
+ # where the array format is used, but it contains (probably not) intended slashes.
10
+ # These slashes will be converted to %2f instead of a path component.
11
+ #
12
+ # @example
13
+ # # bad
14
+ # Ws::AccountService.post(["/test/foo"]) # forward flash will be converted to %2f
15
+ #
16
+ # # good
17
+ # Ws::AccountService.post(["test", "foo"])
18
+ #
19
+ class WsSdkPathArraySlash < Base
20
+ extend AutoCorrector
21
+
22
+ MSG = <<-STR.strip
23
+ When switching to array arguments, you must put each path component individually
24
+ STR
25
+ HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
26
+
27
+ # @!method ws_sdk_service_call?(node)
28
+ def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
29
+ (send (const (const _ :Ws) _) %method $...)
30
+ PATTERN
31
+
32
+ def on_send(node)
33
+ path, = ws_sdk_service_call?(node)
34
+ return unless path&.array_type?
35
+
36
+ strings_with_slash = path.children.select { |n| n.str_type? && n.value.include?('/') }
37
+
38
+ strings_with_slash.each do |str_node|
39
+ add_offense(str_node) do |corrector|
40
+ correct_path(corrector, path)
41
+ end
42
+ end
43
+ end
44
+
45
+ private
46
+
47
+ def correct_path(corrector, path)
48
+ parts =
49
+ path.children.flat_map do |child|
50
+ if child.str_type? && child.value.include?('/')
51
+ child.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
52
+ else
53
+ [child.source]
54
+ end
55
+ end
56
+ corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
57
+ end
58
+ end
59
+ end
60
+ end
61
+ end
@@ -0,0 +1,88 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'parser/current'
4
+
5
+ module RuboCop
6
+ module Cop
7
+ module Vendor
8
+ # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage and suggests to use component based paths
9
+ # instead of using interpolated values that could be user input.
10
+ #
11
+ # This is to avoid path injection, a potential security vulnerability!
12
+ #
13
+ # @example
14
+ # # bad
15
+ # # could post to /api/accounts with same credentials (e.g. by passing "?" as account_id)
16
+ # Ws::AccountService.post("/api/accounts/#{account_id}/details")
17
+ #
18
+ # # good
19
+ # Ws::AccountService.post(["api","accounts", account_id, "details"])
20
+ #
21
+ # # okay, but prefer above
22
+ # Ws::AccountService.post("/api/accounts/#{URI.encode_www_component(account_id)}")
23
+ #
24
+ class WsSdkPathInjection < Base
25
+ extend AutoCorrector
26
+
27
+ MSG = <<-STR.strip
28
+ Use of paths with interpolated values is dangerous, as path injection can occur; prefer to use array of each path component
29
+ STR
30
+ HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
31
+
32
+ # @!method ws_sdk_service_call?(node)
33
+ def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
34
+ (send (const (const _ :Ws) _) %method $...)
35
+ PATTERN
36
+
37
+ def on_send(node)
38
+ return unless self.class.ws_sdk_supports_arrays?
39
+
40
+ path, = ws_sdk_service_call?(node)
41
+ return unless path && path.type != :array
42
+
43
+ add_offense(path) do |corrector|
44
+ correct_path(corrector, path)
45
+ end
46
+ end
47
+
48
+ def self.ws_sdk_supports_arrays?
49
+ version = Gem.loaded_specs['ws-sdk']&.version
50
+ version && version >= Gem::Version.new('13.3.0')
51
+ end
52
+
53
+ private
54
+
55
+ def correct_path(corrector, path)
56
+ parts =
57
+ if path.send_type?
58
+ [path.source]
59
+ else
60
+ convert_str_path_to_source(path)
61
+ end
62
+ return unless parts # conversion to parts failed, cannot auto-correct
63
+
64
+ corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
65
+ end
66
+
67
+ def convert_str_path_to_source(path)
68
+ path.children.flat_map do |child|
69
+ case child&.type
70
+ when :str
71
+ convert_str_node_to_array_source(child)
72
+ when :begin # begin interpolation
73
+ child.children.first.source
74
+ when :send
75
+ child.source
76
+ else
77
+ break # do not know how to auto-correct other types
78
+ end
79
+ end
80
+ end
81
+
82
+ def convert_str_node_to_array_source(node)
83
+ node.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
84
+ end
85
+ end
86
+ end
87
+ end
88
+ end
@@ -13,3 +13,5 @@ require_relative 'vendor/rollbar_log'
13
13
  require_relative 'vendor/rollbar_logger'
14
14
  require_relative 'vendor/rollbar_with_exception'
15
15
  require_relative 'vendor/strict_dry_struct'
16
+ require_relative 'vendor/ws_sdk_path_array_slash'
17
+ require_relative 'vendor/ws_sdk_path_injection'
@@ -2,6 +2,6 @@
2
2
 
3
3
  module RuboCop
4
4
  module Vendor
5
- VERSION = '0.11.0'
5
+ VERSION = '0.12.0'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubocop-vendor
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.11.0
4
+ version: 0.12.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Danilo Cabello
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2023-05-26 00:00:00.000000000 Z
13
+ date: 2023-08-01 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: rubocop
@@ -93,6 +93,8 @@ files:
93
93
  - lib/rubocop/cop/vendor/rollbar_with_exception.rb
94
94
  - lib/rubocop/cop/vendor/sidekiq_throttled_gem.rb
95
95
  - lib/rubocop/cop/vendor/strict_dry_struct.rb
96
+ - lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb
97
+ - lib/rubocop/cop/vendor/ws_sdk_path_injection.rb
96
98
  - lib/rubocop/cop/vendor_cops.rb
97
99
  - lib/rubocop/vendor.rb
98
100
  - lib/rubocop/vendor/inject.rb