rubocop-vendor 0.11.0 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5e8a207496eb8ecac737af481053083a942d3ad3bbbdabe19c0786afbabff226
|
4
|
+
data.tar.gz: 0636c9d456890e9ff0cbf0dd58844d9d84d0b9720c52f242d993a45d06d7562f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9b9fd407aace500ee8a51d024e476213cc4a525d2f18f413059ba32c76d418d79407c1d421550de51ebcda4543b7396a42b9e95a73497a39c4e4a5f0e8ac2104
|
7
|
+
data.tar.gz: 45aa5f974f41e6e8ce97f58366ca5c98e981861edf5aaac45f3653abe03a9b1d80c6e8f1b2ed74a6c06b6454f5bcb3c7ed98b6417fa868663e09db154d499926
|
@@ -0,0 +1,61 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'parser/current'
|
4
|
+
|
5
|
+
module RuboCop
|
6
|
+
module Cop
|
7
|
+
module Vendor
|
8
|
+
# This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage
|
9
|
+
# where the array format is used, but it contains (probably not) intended slashes.
|
10
|
+
# These slashes will be converted to %2f instead of a path component.
|
11
|
+
#
|
12
|
+
# @example
|
13
|
+
# # bad
|
14
|
+
# Ws::AccountService.post(["/test/foo"]) # forward flash will be converted to %2f
|
15
|
+
#
|
16
|
+
# # good
|
17
|
+
# Ws::AccountService.post(["test", "foo"])
|
18
|
+
#
|
19
|
+
class WsSdkPathArraySlash < Base
|
20
|
+
extend AutoCorrector
|
21
|
+
|
22
|
+
MSG = <<-STR.strip
|
23
|
+
When switching to array arguments, you must put each path component individually
|
24
|
+
STR
|
25
|
+
HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
|
26
|
+
|
27
|
+
# @!method ws_sdk_service_call?(node)
|
28
|
+
def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
|
29
|
+
(send (const (const _ :Ws) _) %method $...)
|
30
|
+
PATTERN
|
31
|
+
|
32
|
+
def on_send(node)
|
33
|
+
path, = ws_sdk_service_call?(node)
|
34
|
+
return unless path&.array_type?
|
35
|
+
|
36
|
+
strings_with_slash = path.children.select { |n| n.str_type? && n.value.include?('/') }
|
37
|
+
|
38
|
+
strings_with_slash.each do |str_node|
|
39
|
+
add_offense(str_node) do |corrector|
|
40
|
+
correct_path(corrector, path)
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
private
|
46
|
+
|
47
|
+
def correct_path(corrector, path)
|
48
|
+
parts =
|
49
|
+
path.children.flat_map do |child|
|
50
|
+
if child.str_type? && child.value.include?('/')
|
51
|
+
child.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
|
52
|
+
else
|
53
|
+
[child.source]
|
54
|
+
end
|
55
|
+
end
|
56
|
+
corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
@@ -0,0 +1,88 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'parser/current'
|
4
|
+
|
5
|
+
module RuboCop
|
6
|
+
module Cop
|
7
|
+
module Vendor
|
8
|
+
# This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage and suggests to use component based paths
|
9
|
+
# instead of using interpolated values that could be user input.
|
10
|
+
#
|
11
|
+
# This is to avoid path injection, a potential security vulnerability!
|
12
|
+
#
|
13
|
+
# @example
|
14
|
+
# # bad
|
15
|
+
# # could post to /api/accounts with same credentials (e.g. by passing "?" as account_id)
|
16
|
+
# Ws::AccountService.post("/api/accounts/#{account_id}/details")
|
17
|
+
#
|
18
|
+
# # good
|
19
|
+
# Ws::AccountService.post(["api","accounts", account_id, "details"])
|
20
|
+
#
|
21
|
+
# # okay, but prefer above
|
22
|
+
# Ws::AccountService.post("/api/accounts/#{URI.encode_www_component(account_id)}")
|
23
|
+
#
|
24
|
+
class WsSdkPathInjection < Base
|
25
|
+
extend AutoCorrector
|
26
|
+
|
27
|
+
MSG = <<-STR.strip
|
28
|
+
Use of paths with interpolated values is dangerous, as path injection can occur; prefer to use array of each path component
|
29
|
+
STR
|
30
|
+
HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
|
31
|
+
|
32
|
+
# @!method ws_sdk_service_call?(node)
|
33
|
+
def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
|
34
|
+
(send (const (const _ :Ws) _) %method $...)
|
35
|
+
PATTERN
|
36
|
+
|
37
|
+
def on_send(node)
|
38
|
+
return unless self.class.ws_sdk_supports_arrays?
|
39
|
+
|
40
|
+
path, = ws_sdk_service_call?(node)
|
41
|
+
return unless path && path.type != :array
|
42
|
+
|
43
|
+
add_offense(path) do |corrector|
|
44
|
+
correct_path(corrector, path)
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
def self.ws_sdk_supports_arrays?
|
49
|
+
version = Gem.loaded_specs['ws-sdk']&.version
|
50
|
+
version && version >= Gem::Version.new('13.3.0')
|
51
|
+
end
|
52
|
+
|
53
|
+
private
|
54
|
+
|
55
|
+
def correct_path(corrector, path)
|
56
|
+
parts =
|
57
|
+
if path.send_type?
|
58
|
+
[path.source]
|
59
|
+
else
|
60
|
+
convert_str_path_to_source(path)
|
61
|
+
end
|
62
|
+
return unless parts # conversion to parts failed, cannot auto-correct
|
63
|
+
|
64
|
+
corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
|
65
|
+
end
|
66
|
+
|
67
|
+
def convert_str_path_to_source(path)
|
68
|
+
path.children.flat_map do |child|
|
69
|
+
case child&.type
|
70
|
+
when :str
|
71
|
+
convert_str_node_to_array_source(child)
|
72
|
+
when :begin # begin interpolation
|
73
|
+
child.children.first.source
|
74
|
+
when :send
|
75
|
+
child.source
|
76
|
+
else
|
77
|
+
break # do not know how to auto-correct other types
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
81
|
+
|
82
|
+
def convert_str_node_to_array_source(node)
|
83
|
+
node.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|
@@ -13,3 +13,5 @@ require_relative 'vendor/rollbar_log'
|
|
13
13
|
require_relative 'vendor/rollbar_logger'
|
14
14
|
require_relative 'vendor/rollbar_with_exception'
|
15
15
|
require_relative 'vendor/strict_dry_struct'
|
16
|
+
require_relative 'vendor/ws_sdk_path_array_slash'
|
17
|
+
require_relative 'vendor/ws_sdk_path_injection'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubocop-vendor
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.12.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Danilo Cabello
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2023-
|
13
|
+
date: 2023-08-01 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: rubocop
|
@@ -93,6 +93,8 @@ files:
|
|
93
93
|
- lib/rubocop/cop/vendor/rollbar_with_exception.rb
|
94
94
|
- lib/rubocop/cop/vendor/sidekiq_throttled_gem.rb
|
95
95
|
- lib/rubocop/cop/vendor/strict_dry_struct.rb
|
96
|
+
- lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb
|
97
|
+
- lib/rubocop/cop/vendor/ws_sdk_path_injection.rb
|
96
98
|
- lib/rubocop/cop/vendor_cops.rb
|
97
99
|
- lib/rubocop/vendor.rb
|
98
100
|
- lib/rubocop/vendor/inject.rb
|