rubocop-vendor 0.11.0 → 0.12.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/config/default.yml +41 -1
- data/lib/rubocop/cop/vendor/rollbar_log.rb +1 -1
- data/lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb +61 -0
- data/lib/rubocop/cop/vendor/ws_sdk_path_injection.rb +88 -0
- data/lib/rubocop/cop/vendor_cops.rb +2 -0
- data/lib/rubocop/vendor/version.rb +1 -1
- metadata +21 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3c809c5b9a7d9b2d126f055b5e497fde38c3b753da4dd75e951b177abf61749e
|
4
|
+
data.tar.gz: d815df554dc91c1e56dda01e92aab3fd704a78f47ecece6f1ea8615be18aede8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 4719406e2c8b304e04b7058d3791eaef770f905cbc006772d80aa4e204cf05236d457309e75686cac53165c041f14eccfa6321c80d8d24b248ccebefe6a93b7d
|
7
|
+
data.tar.gz: e279095669e96d455fb54ec11285f2f1aa1c5aa0b7d9f10131ea23f9f07440fd03b8d0a10d0abfa5517e2c00a40dcc3218ba592f5f5b15aa6efb9cedd52fe635
|
data/config/default.yml
CHANGED
@@ -1,4 +1,24 @@
|
|
1
|
-
|
1
|
+
---
|
2
|
+
Vendor:
|
3
|
+
Enabled: true
|
4
|
+
|
5
|
+
Vendor/ActiveRecordConnectionExecute:
|
6
|
+
Enabled: true
|
7
|
+
|
8
|
+
Vendor/RecursiveOpenStructGem:
|
9
|
+
Description: 'Avoid using the `RecursiveOpenStruct` gem.'
|
10
|
+
Enabled: true
|
11
|
+
VersionAdded: '0.1.0'
|
12
|
+
|
13
|
+
Vendor/RecursiveOpenStructUse:
|
14
|
+
Description: 'Avoid using the `RecursiveOpenStruct` gem.'
|
15
|
+
Enabled: true
|
16
|
+
VersionAdded: '0.1.0'
|
17
|
+
|
18
|
+
Vendor/RollbarInsideRescue:
|
19
|
+
Description: 'Only call Rollbar when handling errors inside a `rescue` block.'
|
20
|
+
Enabled: true
|
21
|
+
VersionAdded: '0.1.0'
|
2
22
|
|
3
23
|
Vendor/RollbarInterpolation:
|
4
24
|
Description: 'Avoid interpolation to improve error grouping.'
|
@@ -19,3 +39,23 @@ Vendor/RollbarWithException:
|
|
19
39
|
Description: 'Always pass exception parameter when calling `Rollbar.error` or `critical`.'
|
20
40
|
Enabled: true
|
21
41
|
VersionAdded: '0.1.0'
|
42
|
+
|
43
|
+
Vendor/SidekiqThrottledGem:
|
44
|
+
Description: 'Avoid using the `sidekiq-throttled` gem.'
|
45
|
+
Enabled: true
|
46
|
+
VersionAdded: '0.1.0'
|
47
|
+
|
48
|
+
Vendor/StrictDryStruct:
|
49
|
+
Description: 'Avoid using `Dry::Struct` without schema schema.strict'
|
50
|
+
Enabled: true
|
51
|
+
VersionAdded: '0.1.0'
|
52
|
+
|
53
|
+
Vendor/WsSdkPathArraySlash:
|
54
|
+
Description: 'Avoid using `ws_sdk` with path array with slash.'
|
55
|
+
Enabled: true
|
56
|
+
VersionAdded: '0.12.0'
|
57
|
+
|
58
|
+
Vendor/WsSdkPathInjection:
|
59
|
+
Description: 'Avoid using `ws_sdk` with path injection.'
|
60
|
+
Enabled: true
|
61
|
+
VersionAdded: '0.12.0'
|
@@ -0,0 +1,61 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'parser/current'
|
4
|
+
|
5
|
+
module RuboCop
|
6
|
+
module Cop
|
7
|
+
module Vendor
|
8
|
+
# This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage
|
9
|
+
# where the array format is used, but it contains (probably not) intended slashes.
|
10
|
+
# These slashes will be converted to %2f instead of a path component.
|
11
|
+
#
|
12
|
+
# @example
|
13
|
+
# # bad
|
14
|
+
# Ws::AccountService.post(["/test/foo"]) # forward flash will be converted to %2f
|
15
|
+
#
|
16
|
+
# # good
|
17
|
+
# Ws::AccountService.post(["test", "foo"])
|
18
|
+
#
|
19
|
+
class WsSdkPathArraySlash < Base
|
20
|
+
extend AutoCorrector
|
21
|
+
|
22
|
+
MSG = <<-STR.strip
|
23
|
+
When switching to array arguments, you must put each path component individually
|
24
|
+
STR
|
25
|
+
HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
|
26
|
+
|
27
|
+
# @!method ws_sdk_service_call?(node)
|
28
|
+
def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
|
29
|
+
(send (const (const _ :Ws) _) %method $...)
|
30
|
+
PATTERN
|
31
|
+
|
32
|
+
def on_send(node)
|
33
|
+
path, = ws_sdk_service_call?(node)
|
34
|
+
return unless path&.array_type?
|
35
|
+
|
36
|
+
strings_with_slash = path.children.select { |n| n.str_type? && n.value.include?('/') }
|
37
|
+
|
38
|
+
strings_with_slash.each do |str_node|
|
39
|
+
add_offense(str_node) do |corrector|
|
40
|
+
correct_path(corrector, path)
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
private
|
46
|
+
|
47
|
+
def correct_path(corrector, path)
|
48
|
+
parts =
|
49
|
+
path.children.flat_map do |child|
|
50
|
+
if child.str_type? && child.value.include?('/')
|
51
|
+
child.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
|
52
|
+
else
|
53
|
+
[child.source]
|
54
|
+
end
|
55
|
+
end
|
56
|
+
corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
60
|
+
end
|
61
|
+
end
|
@@ -0,0 +1,88 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'parser/current'
|
4
|
+
|
5
|
+
module RuboCop
|
6
|
+
module Cop
|
7
|
+
module Vendor
|
8
|
+
# This cop checks for `Ws::Service#get,patch,post,put,delete,...` usage and suggests to use component based paths
|
9
|
+
# instead of using interpolated values that could be user input.
|
10
|
+
#
|
11
|
+
# This is to avoid path injection, a potential security vulnerability!
|
12
|
+
#
|
13
|
+
# @example
|
14
|
+
# # bad
|
15
|
+
# # could post to /api/accounts with same credentials (e.g. by passing "?" as account_id)
|
16
|
+
# Ws::AccountService.post("/api/accounts/#{account_id}/details")
|
17
|
+
#
|
18
|
+
# # good
|
19
|
+
# Ws::AccountService.post(["api","accounts", account_id, "details"])
|
20
|
+
#
|
21
|
+
# # okay, but prefer above
|
22
|
+
# Ws::AccountService.post("/api/accounts/#{URI.encode_www_component(account_id)}")
|
23
|
+
#
|
24
|
+
class WsSdkPathInjection < Base
|
25
|
+
extend AutoCorrector
|
26
|
+
|
27
|
+
MSG = <<-STR.strip
|
28
|
+
Use of paths with interpolated values is dangerous, as path injection can occur; prefer to use array of each path component
|
29
|
+
STR
|
30
|
+
HTTP_METHODS = Set[:get, :patch, :put, :post, :delete, :head, :options, :trace]
|
31
|
+
|
32
|
+
# @!method ws_sdk_service_call?(node)
|
33
|
+
def_node_matcher :ws_sdk_service_call?, <<-PATTERN, method: HTTP_METHODS
|
34
|
+
(send (const (const _ :Ws) _) %method $...)
|
35
|
+
PATTERN
|
36
|
+
|
37
|
+
def on_send(node)
|
38
|
+
return unless self.class.ws_sdk_supports_arrays?
|
39
|
+
|
40
|
+
path, = ws_sdk_service_call?(node)
|
41
|
+
return unless path.respond_to?(:type) && path.dstr_type?
|
42
|
+
|
43
|
+
add_offense(path) do |corrector|
|
44
|
+
correct_path(corrector, path)
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
def self.ws_sdk_supports_arrays?
|
49
|
+
version = Gem.loaded_specs['ws-sdk']&.version
|
50
|
+
version && version >= Gem::Version.new('13.3.0')
|
51
|
+
end
|
52
|
+
|
53
|
+
private
|
54
|
+
|
55
|
+
def correct_path(corrector, path)
|
56
|
+
parts =
|
57
|
+
if path.send_type?
|
58
|
+
[path.source]
|
59
|
+
else
|
60
|
+
convert_str_path_to_source(path)
|
61
|
+
end
|
62
|
+
return unless parts # conversion to parts failed, cannot auto-correct
|
63
|
+
|
64
|
+
corrector.replace(path.loc.expression, "[#{parts.join(', ')}]")
|
65
|
+
end
|
66
|
+
|
67
|
+
def convert_str_path_to_source(path)
|
68
|
+
path.children.flat_map do |child|
|
69
|
+
case child&.type
|
70
|
+
when :str
|
71
|
+
convert_str_node_to_array_source(child)
|
72
|
+
when :begin # begin interpolation
|
73
|
+
child.children.first.source
|
74
|
+
when :send
|
75
|
+
child.source
|
76
|
+
else
|
77
|
+
break # do not know how to auto-correct other types
|
78
|
+
end
|
79
|
+
end
|
80
|
+
end
|
81
|
+
|
82
|
+
def convert_str_node_to_array_source(node)
|
83
|
+
node.value.delete_prefix('/').delete_suffix('/').split('/').map { |v| "\"#{v}\"" }
|
84
|
+
end
|
85
|
+
end
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|
@@ -13,3 +13,5 @@ require_relative 'vendor/rollbar_log'
|
|
13
13
|
require_relative 'vendor/rollbar_logger'
|
14
14
|
require_relative 'vendor/rollbar_with_exception'
|
15
15
|
require_relative 'vendor/strict_dry_struct'
|
16
|
+
require_relative 'vendor/ws_sdk_path_array_slash'
|
17
|
+
require_relative 'vendor/ws_sdk_path_injection'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rubocop-vendor
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.12.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Danilo Cabello
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2023-
|
13
|
+
date: 2023-08-02 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: rubocop
|
@@ -18,14 +18,14 @@ dependencies:
|
|
18
18
|
requirements:
|
19
19
|
- - ">="
|
20
20
|
- !ruby/object:Gem::Version
|
21
|
-
version: 0
|
21
|
+
version: '0'
|
22
22
|
type: :runtime
|
23
23
|
prerelease: false
|
24
24
|
version_requirements: !ruby/object:Gem::Requirement
|
25
25
|
requirements:
|
26
26
|
- - ">="
|
27
27
|
- !ruby/object:Gem::Version
|
28
|
-
version: 0
|
28
|
+
version: '0'
|
29
29
|
- !ruby/object:Gem::Dependency
|
30
30
|
name: git
|
31
31
|
requirement: !ruby/object:Gem::Requirement
|
@@ -68,6 +68,20 @@ dependencies:
|
|
68
68
|
- - ">="
|
69
69
|
- !ruby/object:Gem::Version
|
70
70
|
version: '0'
|
71
|
+
- !ruby/object:Gem::Dependency
|
72
|
+
name: ws-style
|
73
|
+
requirement: !ruby/object:Gem::Requirement
|
74
|
+
requirements:
|
75
|
+
- - ">="
|
76
|
+
- !ruby/object:Gem::Version
|
77
|
+
version: '0'
|
78
|
+
type: :development
|
79
|
+
prerelease: false
|
80
|
+
version_requirements: !ruby/object:Gem::Requirement
|
81
|
+
requirements:
|
82
|
+
- - ">="
|
83
|
+
- !ruby/object:Gem::Version
|
84
|
+
version: '0'
|
71
85
|
description: |2
|
72
86
|
A collection of RuboCop cops to check for vendor integration
|
73
87
|
in Ruby code.
|
@@ -93,6 +107,8 @@ files:
|
|
93
107
|
- lib/rubocop/cop/vendor/rollbar_with_exception.rb
|
94
108
|
- lib/rubocop/cop/vendor/sidekiq_throttled_gem.rb
|
95
109
|
- lib/rubocop/cop/vendor/strict_dry_struct.rb
|
110
|
+
- lib/rubocop/cop/vendor/ws_sdk_path_array_slash.rb
|
111
|
+
- lib/rubocop/cop/vendor/ws_sdk_path_injection.rb
|
96
112
|
- lib/rubocop/cop/vendor_cops.rb
|
97
113
|
- lib/rubocop/vendor.rb
|
98
114
|
- lib/rubocop/vendor/inject.rb
|
@@ -122,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
122
138
|
- !ruby/object:Gem::Version
|
123
139
|
version: '0'
|
124
140
|
requirements: []
|
125
|
-
rubygems_version: 3.
|
141
|
+
rubygems_version: 3.4.10
|
126
142
|
signing_key:
|
127
143
|
specification_version: 4
|
128
144
|
summary: Automatic vendor integration checking tool for Ruby code.
|