rubocop-vendor 0.11.0 → 0.12.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f69fd94e8d9429fec0334913a5d2bcfa8f2e2873e777ec17879a37d0ca044eb6
4
- data.tar.gz: 6a012a6071337d04d50cefd51ddc07c63abe07f96f70eae9acd094e9a8d8ee27
3
+ metadata.gz: 3c809c5b9a7d9b2d126f055b5e497fde38c3b753da4dd75e951b177abf61749e
4
+ data.tar.gz: d815df554dc91c1e56dda01e92aab3fd704a78f47ecece6f1ea8615be18aede8
5
5
  SHA512:
6
- metadata.gz: 6406158144116b3cc61af8e30c8e68c2285073b8eb5ed0ed2fba58f7570a3c5d73732a1ed331beb1333957e08606228faefc1bd1803fdac34d2ab903015d8008
7
- data.tar.gz: 470e41a804dba4c86ac1b8654a2204fdf4de33dec852d1c185e98b9fbc2f509cf28e7eec4a7fed575374c0cf23cc45cb19ffb30abc2caa6fb89f9b4898c0730d
6
+ metadata.gz: 4719406e2c8b304e04b7058d3791eaef770f905cbc006772d80aa4e204cf05236d457309e75686cac53165c041f14eccfa6321c80d8d24b248ccebefe6a93b7d
7
+ data.tar.gz: e279095669e96d455fb54ec11285f2f1aa1c5aa0b7d9f10131ea23f9f07440fd03b8d0a10d0abfa5517e2c00a40dcc3218ba592f5f5b15aa6efb9cedd52fe635
data/config/default.yml CHANGED
@@ -1,4 +1,24 @@
1
- # This is the default configuration file.
1
+ ---
2
+ Vendor:
3
+ Enabled: true
4
+
5
+ Vendor/ActiveRecordConnectionExecute:
6
+ Enabled: true
7
+
8
+ Vendor/RecursiveOpenStructGem:
9
+ Description: 'Avoid using the `RecursiveOpenStruct` gem.'
10
+ Enabled: true
11
+ VersionAdded: '0.1.0'
12
+
13
+ Vendor/RecursiveOpenStructUse:
14
+ Description: 'Avoid using the `RecursiveOpenStruct` gem.'
15
+ Enabled: true
16
+ VersionAdded: '0.1.0'
17
+
18
+ Vendor/RollbarInsideRescue:
19
+ Description: 'Only call Rollbar when handling errors inside a `rescue` block.'
20
+ Enabled: true
21
+ VersionAdded: '0.1.0'
2
22
 
3
23
  Vendor/RollbarInterpolation:
4
24
  Description: 'Avoid interpolation to improve error grouping.'
@@ -19,3 +39,23 @@ Vendor/RollbarWithException:
19
39
  Description: 'Always pass exception parameter when calling `Rollbar.error` or `critical`.'
20
40
  Enabled: true
21
41
  VersionAdded: '0.1.0'
42
+
43
+ Vendor/SidekiqThrottledGem:
44
+ Description: 'Avoid using the `sidekiq-throttled` gem.'
45
+ Enabled: true
46
+ VersionAdded: '0.1.0'
47
+
48
+ Vendor/StrictDryStruct:
49
+ Description: 'Avoid using `Dry::Struct` without schema schema.strict'
50
+ Enabled: true
51
+ VersionAdded: '0.1.0'
52
+
53
+ Vendor/WsSdkPathArraySlash:
54
+ Description: 'Avoid using `ws_sdk` with path array with slash.'
55
+ Enabled: true
56
+ VersionAdded: '0.12.0'
57
+
58
+ Vendor/WsSdkPathInjection:
59
+ Description: 'Avoid using `ws_sdk` with path injection.'
60
+ Enabled: true
61
+ VersionAdded: '0.12.0'
@@ -45,7 +45,7 @@ module RuboCop
45
45
  def offending_range(node)
46
46
  range_between(
47
47
  node.children[0].loc.last_column + 1,
48
- node.children[3].loc.column
48
+ node.children[3].loc.column,
49
49
  )
50
50
  end
51
51
  end
@@ -0,0 +1,61 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'parser/current'
4
+
5
+ module RuboCop
6
+ module Cop
7
+ module Vendor
8
+ # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage
9
+ # where the array format is used, but it contains (probably not) intended slashes.
10
+ # These slashes will be converted to %2f instead of a path component.
11
+ #
12
+ # @example
13
+ # # bad
14
+ # Ws::AccountService.post(["/test/foo"]) # forward flash will be converted to %2f
15
+ #
16
+ # # good
17
+ # Ws::AccountService.post(["test", "foo"])
18
+ #
19
+ class WsSdkPathArraySlash < Base
20
+ extend AutoCorrector
21
+
22
+ MSG = <<-STR.strip
23
+ When switching to array arguments, you must put each path component individually
24
+ STR
25
+ HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
26
+
27
+ # @!method ws_sdk_service_call?(node)
28
+ def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
29
+ (send (const (const _ :Ws) _) %method $...)
30
+ PATTERN
31
+
32
+ def on_send(node)
33
+ path, = ws_sdk_service_call?(node)
34
+ return unless path&.array_type?
35
+
36
+ strings_with_slash = path.children.select { |n| n.str_type? && n.value.include?('/') }
37
+
38
+ strings_with_slash.each do |str_node|
39
+ add_offense(str_node) do |corrector|
40
+ correct_path(corrector, path)
41
+ end
42
+ end
43
+ end
44
+
45
+ private
46
+
47
+ def correct_path(corrector, path)
48
+ parts =
49
+ path.children.flat_map do |child|
50
+ if child.str_type? && child.value.include?('/')
51
+ child.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
52
+ else
53
+ [child.source]
54
+ end
55
+ end
56
+ corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
57
+ end
58
+ end
59
+ end
60
+ end
61
+ end
@@ -0,0 +1,88 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'parser/current'
4
+
5
+ module RuboCop
6
+ module Cop
7
+ module Vendor
8
+ # This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage and suggests to use component based paths
9
+ # instead of using interpolated values that could be user input.
10
+ #
11
+ # This is to avoid path injection, a potential security vulnerability!
12
+ #
13
+ # @example
14
+ # # bad
15
+ # # could post to /api/accounts with same credentials (e.g. by passing "?" as account_id)
16
+ # Ws::AccountService.post("/api/accounts/#{account_id}/details")
17
+ #
18
+ # # good
19
+ # Ws::AccountService.post(["api","accounts", account_id, "details"])
20
+ #
21
+ # # okay, but prefer above
22
+ # Ws::AccountService.post("/api/accounts/#{URI.encode_www_component(account_id)}")
23
+ #
24
+ class WsSdkPathInjection < Base
25
+ extend AutoCorrector
26
+
27
+ MSG = <<-STR.strip
28
+ Use of paths with interpolated values is dangerous, as path injection can occur; prefer to use array of each path component
29
+ STR
30
+ HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
31
+
32
+ # @!method ws_sdk_service_call?(node)
33
+ def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
34
+ (send (const (const _ :Ws) _) %method $...)
35
+ PATTERN
36
+
37
+ def on_send(node)
38
+ return unless self.class.ws_sdk_supports_arrays?
39
+
40
+ path, = ws_sdk_service_call?(node)
41
+ return unless path.respond_to?(:type) && path.dstr_type?
42
+
43
+ add_offense(path) do |corrector|
44
+ correct_path(corrector, path)
45
+ end
46
+ end
47
+
48
+ def self.ws_sdk_supports_arrays?
49
+ version = Gem.loaded_specs['ws-sdk']&.version
50
+ version && version >= Gem::Version.new('13.3.0')
51
+ end
52
+
53
+ private
54
+
55
+ def correct_path(corrector, path)
56
+ parts =
57
+ if path.send_type?
58
+ [path.source]
59
+ else
60
+ convert_str_path_to_source(path)
61
+ end
62
+ return unless parts # conversion to parts failed, cannot auto-correct
63
+
64
+ corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
65
+ end
66
+
67
+ def convert_str_path_to_source(path)
68
+ path.children.flat_map do |child|
69
+ case child&.type
70
+ when :str
71
+ convert_str_node_to_array_source(child)
72
+ when :begin # begin interpolation
73
+ child.children.first.source
74
+ when :send
75
+ child.source
76
+ else
77
+ break # do not know how to auto-correct other types
78
+ end
79
+ end
80
+ end
81
+
82
+ def convert_str_node_to_array_source(node)
83
+ node.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
84
+ end
85
+ end
86
+ end
87
+ end
88
+ end
@@ -13,3 +13,5 @@ require_relative 'vendor/rollbar_log'
13
13
  require_relative 'vendor/rollbar_logger'
14
14
  require_relative 'vendor/rollbar_with_exception'
15
15
  require_relative 'vendor/strict_dry_struct'
16
+ require_relative 'vendor/ws_sdk_path_array_slash'
17
+ require_relative 'vendor/ws_sdk_path_injection'
@@ -2,6 +2,6 @@
2
2
 
3
3
  module RuboCop
4
4
  module Vendor
5
- VERSION = '0.11.0'
5
+ VERSION = '0.12.1'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rubocop-vendor
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.11.0
4
+ version: 0.12.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Danilo Cabello
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2023-05-26 00:00:00.000000000 Z
13
+ date: 2023-08-02 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: rubocop
@@ -18,14 +18,14 @@ dependencies:
18
18
  requirements:
19
19
  - - ">="
20
20
  - !ruby/object:Gem::Version
21
- version: 0.53.0
21
+ version: '0'
22
22
  type: :runtime
23
23
  prerelease: false
24
24
  version_requirements: !ruby/object:Gem::Requirement
25
25
  requirements:
26
26
  - - ">="
27
27
  - !ruby/object:Gem::Version
28
- version: 0.53.0
28
+ version: '0'
29
29
  - !ruby/object:Gem::Dependency
30
30
  name: git
31
31
  requirement: !ruby/object:Gem::Requirement
@@ -68,6 +68,20 @@ dependencies:
68
68
  - - ">="
69
69
  - !ruby/object:Gem::Version
70
70
  version: '0'
71
+ - !ruby/object:Gem::Dependency
72
+ name: ws-style
73
+ requirement: !ruby/object:Gem::Requirement
74
+ requirements:
75
+ - - ">="
76
+ - !ruby/object:Gem::Version
77
+ version: '0'
78
+ type: :development
79
+ prerelease: false
80
+ version_requirements: !ruby/object:Gem::Requirement
81
+ requirements:
82
+ - - ">="
83
+ - !ruby/object:Gem::Version
84
+ version: '0'
71
85
  description: |2
72
86
  A collection of RuboCop cops to check for vendor integration
73
87
  in Ruby code.
@@ -93,6 +107,8 @@ files:
93
107
  - lib/rubocop/cop/vendor/rollbar_with_exception.rb
94
108
  - lib/rubocop/cop/vendor/sidekiq_throttled_gem.rb
95
109
  - lib/rubocop/cop/vendor/strict_dry_struct.rb
110
+ - lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb
111
+ - lib/rubocop/cop/vendor/ws_sdk_path_injection.rb
96
112
  - lib/rubocop/cop/vendor_cops.rb
97
113
  - lib/rubocop/vendor.rb
98
114
  - lib/rubocop/vendor/inject.rb
@@ -122,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
122
138
  - !ruby/object:Gem::Version
123
139
  version: '0'
124
140
  requirements: []
125
- rubygems_version: 3.2.33
141
+ rubygems_version: 3.4.10
126
142
  signing_key:
127
143
  specification_version: 4
128
144
  summary: Automatic vendor integration checking tool for Ruby code.