rubocop-vendor 0.11.0 → 0.12.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f69fd94e8d9429fec0334913a5d2bcfa8f2e2873e777ec17879a37d0ca044eb6
-  data.tar.gz: 6a012a6071337d04d50cefd51ddc07c63abe07f96f70eae9acd094e9a8d8ee27
+  metadata.gz: 3c809c5b9a7d9b2d126f055b5e497fde38c3b753da4dd75e951b177abf61749e
+  data.tar.gz: d815df554dc91c1e56dda01e92aab3fd704a78f47ecece6f1ea8615be18aede8
 SHA512:
-  metadata.gz: 6406158144116b3cc61af8e30c8e68c2285073b8eb5ed0ed2fba58f7570a3c5d73732a1ed331beb1333957e08606228faefc1bd1803fdac34d2ab903015d8008
-  data.tar.gz: 470e41a804dba4c86ac1b8654a2204fdf4de33dec852d1c185e98b9fbc2f509cf28e7eec4a7fed575374c0cf23cc45cb19ffb30abc2caa6fb89f9b4898c0730d
+  metadata.gz: 4719406e2c8b304e04b7058d3791eaef770f905cbc006772d80aa4e204cf05236d457309e75686cac53165c041f14eccfa6321c80d8d24b248ccebefe6a93b7d
+  data.tar.gz: e279095669e96d455fb54ec11285f2f1aa1c5aa0b7d9f10131ea23f9f07440fd03b8d0a10d0abfa5517e2c00a40dcc3218ba592f5f5b15aa6efb9cedd52fe635

data/config/default.yml

@@ -1,4 +1,24 @@
-# This is the default configuration file.
+---
+Vendor:
+  Enabled: true
+
+Vendor/ActiveRecordConnectionExecute:
+  Enabled: true
+
+Vendor/RecursiveOpenStructGem:
+  Description: 'Avoid using the `RecursiveOpenStruct` gem.'
+  Enabled: true
+  VersionAdded: '0.1.0'
+
+Vendor/RecursiveOpenStructUse:
+  Description: 'Avoid using the `RecursiveOpenStruct` gem.'
+  Enabled: true
+  VersionAdded: '0.1.0'
+
+Vendor/RollbarInsideRescue:
+  Description: 'Only call Rollbar when handling errors inside a `rescue` block.'
+  Enabled: true
+  VersionAdded: '0.1.0'
 
 Vendor/RollbarInterpolation:
   Description: 'Avoid interpolation to improve error grouping.'
@@ -19,3 +39,23 @@ Vendor/RollbarWithException:
   Description: 'Always pass exception parameter when calling `Rollbar.error` or `critical`.'
   Enabled: true
   VersionAdded: '0.1.0'
+
+Vendor/SidekiqThrottledGem:
+  Description: 'Avoid using the `sidekiq-throttled` gem.'
+  Enabled: true
+  VersionAdded: '0.1.0'
+
+Vendor/StrictDryStruct:
+  Description: 'Avoid using `Dry::Struct` without schema schema.strict'
+  Enabled: true
+  VersionAdded: '0.1.0'
+
+Vendor/WsSdkPathArraySlash:
+  Description: 'Avoid using `ws_sdk` with path array with slash.'
+  Enabled: true
+  VersionAdded: '0.12.0'
+
+Vendor/WsSdkPathInjection:
+  Description: 'Avoid using `ws_sdk` with path injection.'
+  Enabled: true
+  VersionAdded: '0.12.0'

data/lib/rubocop/cop/vendor/rollbar_log.rb

@@ -45,7 +45,7 @@ module RuboCop
         def offending_range(node)
           range_between(
             node.children[0].loc.last_column + 1,
-            node.children[3].loc.column
+            node.children[3].loc.column,
           )
         end
       end

data/lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'parser/current'
+
+module RuboCop
+  module Cop
+    module Vendor
+      # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage
+      # where the array format is used, but it contains (probably not) intended slashes.
+      # These slashes will be converted to %2f instead of a path component.
+      #
+      # @example
+      #   # bad
+      #   Ws::AccountService.post(["/test/foo"]) # forward flash will be converted to %2f
+      #
+      #   # good
+      #   Ws::AccountService.post(["test", "foo"])
+      #
+      class WsSdkPathArraySlash < Base
+        extend AutoCorrector
+
+        MSG = <<-STR.strip
+          When switching to array arguments, you must put each path component individually
+        STR
+        HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
+
+        # @!method ws_sdk_service_call?(node)
+        def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
+          (send (const (const _ :Ws) _) %method $...)
+        PATTERN
+
+        def on_send(node)
+          path, = ws_sdk_service_call?(node)
+          return unless path&.array_type?
+
+          strings_with_slash = path.children.select { |n| n.str_type? && n.value.include?('/') }
+
+          strings_with_slash.each do |str_node|
+            add_offense(str_node) do |corrector|
+              correct_path(corrector, path)
+            end
+          end
+        end
+
+        private
+
+        def correct_path(corrector, path)
+          parts =
+            path.children.flat_map do |child|
+              if child.str_type? && child.value.include?('/')
+                child.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
+              else
+                [child.source]
+              end
+            end
+          corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/vendor/ws_sdk_path_injection.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'parser/current'
+
+module RuboCop
+  module Cop
+    module Vendor
+      # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage and suggests to use component based paths
+      # instead of using interpolated values that could be user input.
+      #
+      # This is to avoid path injection, a potential security vulnerability!
+      #
+      # @example
+      #   # bad
+      #   # could post to /api/accounts with same credentials (e.g. by passing "?" as account_id)
+      #   Ws::AccountService.post("/api/accounts/#{account_id}/details")
+      #
+      #   # good
+      #   Ws::AccountService.post(["api","accounts", account_id, "details"])
+      #
+      #   # okay, but prefer above
+      #   Ws::AccountService.post("/api/accounts/#{URI.encode_www_component(account_id)}")
+      #
+      class WsSdkPathInjection < Base
+        extend AutoCorrector
+
+        MSG = <<-STR.strip
+          Use of paths with interpolated values is dangerous, as path injection can occur; prefer to use array of each path component
+        STR
+        HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
+
+        # @!method ws_sdk_service_call?(node)
+        def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
+          (send (const (const _ :Ws) _) %method $...)
+        PATTERN
+
+        def on_send(node)
+          return unless self.class.ws_sdk_supports_arrays?
+
+          path, = ws_sdk_service_call?(node)
+          return unless path.respond_to?(:type) && path.dstr_type?
+
+          add_offense(path) do |corrector|
+            correct_path(corrector, path)
+          end
+        end
+
+        def self.ws_sdk_supports_arrays?
+          version = Gem.loaded_specs['ws-sdk']&.version
+          version && version >= Gem::Version.new('13.3.0')
+        end
+
+        private
+
+        def correct_path(corrector, path)
+          parts =
+            if path.send_type?
+              [path.source]
+            else
+              convert_str_path_to_source(path)
+            end
+          return unless parts # conversion to parts failed, cannot auto-correct
+
+          corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
+        end
+
+        def convert_str_path_to_source(path)
+          path.children.flat_map do |child|
+            case child&.type
+            when :str
+              convert_str_node_to_array_source(child)
+            when :begin # begin interpolation
+              child.children.first.source
+            when :send
+              child.source
+            else
+              break # do not know how to auto-correct other types
+            end
+          end
+        end
+
+        def convert_str_node_to_array_source(node)
+          node.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/vendor_cops.rb

@@ -13,3 +13,5 @@ require_relative 'vendor/rollbar_log'
 require_relative 'vendor/rollbar_logger'
 require_relative 'vendor/rollbar_with_exception'
 require_relative 'vendor/strict_dry_struct'
+require_relative 'vendor/ws_sdk_path_array_slash'
+require_relative 'vendor/ws_sdk_path_injection'

data/lib/rubocop/vendor/version.rb

@@ -2,6 +2,6 @@
 
 module RuboCop
   module Vendor
-    VERSION = '0.11.0'
+    VERSION = '0.12.1'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubocop-vendor
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.12.1
 platform: ruby
 authors:
 - Danilo Cabello
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-26 00:00:00.000000000 Z
+date: 2023-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rubocop
@@ -18,14 +18,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.53.0
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.53.0
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: git
   requirement: !ruby/object:Gem::Requirement
@@ -68,6 +68,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: ws-style
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: |2
       A collection of RuboCop cops to check for vendor integration
       in Ruby code.
@@ -93,6 +107,8 @@ files:
 - lib/rubocop/cop/vendor/rollbar_with_exception.rb
 - lib/rubocop/cop/vendor/sidekiq_throttled_gem.rb
 - lib/rubocop/cop/vendor/strict_dry_struct.rb
+- lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb
+- lib/rubocop/cop/vendor/ws_sdk_path_injection.rb
 - lib/rubocop/cop/vendor_cops.rb
 - lib/rubocop/vendor.rb
 - lib/rubocop/vendor/inject.rb
@@ -122,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.33
+rubygems_version: 3.4.10
 signing_key: 
 specification_version: 4
 summary: Automatic vendor integration checking tool for Ruby code.