rubocop 1.79.2 → 1.87.0

data/lib/rubocop/cop/naming/predicate_method.rb

@@ -6,7 +6,7 @@ module RuboCop
       # Checks that predicate methods end with `?` and non-predicate methods do not.
       #
       # The names of predicate methods (methods that return a boolean value) should end
-      # in a question mark. Methods that don't return a boolean, shouldn't
+      # in a question mark. Methods that don't return a boolean shouldn't
       # end in a question mark.
       #
       # The cop assesses a predicate method as one that returns boolean values. Likewise,
@@ -14,7 +14,7 @@ module RuboCop
       # method calls are assumed to return boolean values. The cop does not make an assessment
       # if the return type is unknown (non-predicate method calls, variables, etc.).
       #
-      # NOTE: Operator methods (`def ==`, etc.) are ignored.
+      # NOTE: The `initialize` method and operator methods (`def ==`, etc.) are ignored.
       #
       # By default, the cop runs in `conservative` mode, which allows a method to be named
       # with a question mark as long as at least one return value is boolean. In `aggressive`
@@ -22,7 +22,7 @@ module RuboCop
       # return values are detected.
       #
       # The cop also has `AllowedMethods` configuration in order to prevent the cop from
-      # registering an offense from a method name that does not confirm to the naming
+      # registering an offense from a method name that does not conform to the naming
       # guidelines. By default, `call` is allowed. The cop also has `AllowedPatterns`
       # configuration to allow method names by regular expression.
       #
@@ -113,6 +113,18 @@ module RuboCop
       #     true
       #   end
       #
+      # @example AllowedMethods: [call] (default)
+      #   # good
+      #   def call
+      #     foo == bar
+      #   end
+      #
+      # @example AllowedPatterns: [\Afoo]
+      #   # good
+      #   def foo?
+      #     'foo'
+      #   end
+      #
       # @example AllowBangMethods: false (default)
       #   # bad
       #   def save!
@@ -125,6 +137,17 @@ module RuboCop
       #     true
       #   end
       #
+      # @example WaywardPredicates: ['infinite?', 'nonzero?'] (default)
+      #   # good
+      #   def non_predicate_method(num)
+      #     num.infinite?
+      #   end
+      #
+      #   # good
+      #   def non_predicate_method(num)
+      #     num.nonzero?
+      #   end
+      #
       class PredicateMethod < Base
         include AllowedMethods
         include AllowedPattern
@@ -149,7 +172,8 @@ module RuboCop
         private
 
         def allowed?(node)
-          allowed_method?(node.method_name) ||
+          node.method?(:initialize) ||
+            allowed_method?(node.method_name) ||
             matches_allowed_pattern?(node.method_name) ||
             allowed_bang_method?(node) ||
             node.operator_method? ||
@@ -180,8 +204,7 @@ module RuboCop
             return_values << extract_return_value(return_node)
           end
 
-          last_value = last_value(node)
-          return_values << last_value if last_value
+          return_values << last_value(node)
 
           process_return_values(return_values)
         end
@@ -234,8 +257,9 @@ module RuboCop
         end
 
         def last_value(node)
-          value = node.begin_type? ? node.children.last : node
-          value&.return_type? ? extract_return_value(value) : value
+          value = node.begin_type? ? node.children.last || s(:nil) : node
+
+          value.return_type? ? extract_return_value(value) : value
         end
 
         def process_return_values(return_values)

data/lib/rubocop/cop/naming/predicate_prefix.rb

@@ -17,7 +17,7 @@ module RuboCop
       # they end with a `?`. These methods should be changed to remove the
       # prefix.
       #
-      # When `UseSorbetSigs` set to true (optional), the cop will only report
+      # When `UseSorbetSigs` is set to true (optional), the cop will only report
       # offenses if the method has a Sorbet `sig` with a return type of
       # `T::Boolean`. Dynamic methods are not supported with this configuration.
       #
@@ -63,17 +63,17 @@ module RuboCop
       #   end
       #
       # @example UseSorbetSigs: false (default)
-      #  # bad
-      #  sig { returns(String) }
-      #  def is_this_thing_on
-      #    "yes"
-      #  end
-      #
-      #  # good - Sorbet signature is not evaluated
-      #  sig { returns(String) }
-      #  def is_this_thing_on?
-      #    "yes"
-      #  end
+      #   # bad
+      #   sig { returns(String) }
+      #   def is_this_thing_on
+      #     "yes"
+      #   end
+      #
+      #   # good - Sorbet signature is not evaluated
+      #   sig { returns(String) }
+      #   def is_this_thing_on?
+      #     "yes"
+      #   end
       #
       # @example UseSorbetSigs: true
       #   # bad

data/lib/rubocop/cop/naming/rescued_exceptions_variable_name.rb

@@ -3,7 +3,7 @@
 module RuboCop
   module Cop
     module Naming
-      # Makes sure that rescued exceptions variables are named as
+      # Makes sure that rescued exception variables are named as
       # expected.
       #
       # The `PreferredName` config option takes a `String`. It represents

data/lib/rubocop/cop/offense.rb

@@ -66,6 +66,13 @@ module RuboCop
         alias_method :last_line, :line
         alias_method :last_column, :column
 
+        attr_reader :source_buffer
+
+        def initialize(line, column, source_line, begin_pos, end_pos)
+          super
+          @source_buffer = Parser::Source::Buffer.new('(pseudo)', source: source_line)
+        end
+
         def column_range
           column...last_column
         end
@@ -91,6 +98,14 @@ module RuboCop
         freeze
       end
 
+      def marshal_dump
+        [@severity, @location, @message, @cop_name, @status]
+      end
+
+      def marshal_load(array)
+        @severity, @location, @message, @cop_name, @status = array
+      end
+
       # @api public
       #
       # @!attribute [r] correctable?
@@ -139,7 +154,8 @@ module RuboCop
       # @return [Parser::Source::Range]
       #   the range of the code that is highlighted
       def highlighted_area
-        Parser::Source::Range.new(source_line, column, column + column_length)
+        source_buffer = Parser::Source::Buffer.new(location.source_buffer.name, source: source_line)
+        Parser::Source::Range.new(source_buffer, column, column + column_length)
       end
 
       # @api private

data/lib/rubocop/cop/registry.rb

@@ -16,7 +16,7 @@ module RuboCop
     end
 
     # Registry that tracks all cops by their badge and department.
-    class Registry
+    class Registry # rubocop:disable Metrics/ClassLength
       include Enumerable
 
       def self.all
@@ -46,18 +46,25 @@ module RuboCop
         global.qualify_badge(badge).first == badge
       end
 
-      attr_reader :options
+      attr_reader :options, :warnings
 
       def initialize(cops = [], options = {})
-        @registry = {}
-        @departments = {}
-        @cops_by_cop_name = Hash.new { |hash, key| hash[key] = [] }
+        @departments = Set.new
+        @cops_by_badge = {}
+        @lazy_loaded_cops_by_badge = {}
 
         @enrollment_queue = cops
         @options = options
 
         @enabled_cache = {}.compare_by_identity
         @disabled_cache = {}.compare_by_identity
+        @warnings = {}
+      end
+
+      def lazy_load(cop_name, constant_name)
+        badge = Badge.parse(cop_name)
+        @departments << badge.department
+        @lazy_loaded_cops_by_badge[badge] = constant_name
       end
 
       def enlist(cop)
@@ -71,22 +78,17 @@ module RuboCop
       # @return [Array<Symbol>] list of departments for current cops.
       def departments
         clear_enrollment_queue
-        @departments.keys
+        @departments.to_a
       end
 
       # @return [Registry] Cops for that specific department.
       def with_department(department)
-        clear_enrollment_queue
-        with(@departments.fetch(department, []))
+        with(cops.select { |cop| cop.department == department })
       end
 
       # @return [Registry] Cops not for a specific department.
       def without_department(department)
-        clear_enrollment_queue
-        without_department = @departments.dup
-        without_department.delete(department)
-
-        with(without_department.values.flatten)
+        with(cops.reject { |cop| cop.department == department })
       end
 
       # @return [Boolean] Checks if given name is department
@@ -132,7 +134,7 @@ module RuboCop
       # @return [String] Qualified cop name
       def qualified_cop_name(name, path, warn: true)
         badge = Badge.parse(name)
-        print_warning(name, path) if warn && department_missing?(badge, name)
+        print_department_missing_warning(name, path) if warn && department_missing?(badge, name)
         return name if registered?(badge)
 
         potential_badges = qualify_badge(badge)
@@ -148,42 +150,44 @@ module RuboCop
         !badge.qualified? && unqualified_cop_names.include?(name)
       end
 
-      def print_warning(name, path)
-        message = "#{path}: Warning: no department given for #{name}."
+      def print_department_missing_warning(name, path)
+        message = "no department given for #{name}."
         if path.end_with?('.rb')
           message += ' Run `rubocop -a --only Migration/DepartmentName` to fix.'
         end
-        warn message
+        emit_warning(path, message)
       end
 
       def unqualified_cop_names
         clear_enrollment_queue
         @unqualified_cop_names ||=
-          Set.new(@cops_by_cop_name.keys.map { |qn| File.basename(qn) }) <<
-          'RedundantCopDisableDirective'
+          (@cops_by_badge.keys | @lazy_loaded_cops_by_badge.keys)
+          .to_set { |badge| File.basename(badge.to_s) } << 'RedundantCopDisableDirective'
       end
 
       def qualify_badge(badge)
         clear_enrollment_queue
         @departments
-          .map { |department, _| badge.with_department(department) }
+          .map { |department| badge.with_department(department) }
           .select { |potential_badge| registered?(potential_badge) }
       end
 
       # @return [Hash{String => Array<Class>}]
       def to_h
         clear_enrollment_queue
-        @cops_by_cop_name
+        load_all_lazy_cops
+        @cops_by_badge.to_h { |_badge, cop| [cop.cop_name, [cop]] }
       end
 
       def cops
         clear_enrollment_queue
-        @registry.values
+        load_all_lazy_cops
+        @cops_by_badge.values
       end
 
       def length
         clear_enrollment_queue
-        @registry.size
+        @cops_by_badge.size + @lazy_loaded_cops_by_badge.size
       end
 
       def enabled(config)
@@ -218,7 +222,8 @@ module RuboCop
       end
 
       def names
-        cops.map(&:cop_name)
+        clear_enrollment_queue
+        @cops_by_badge.keys.map(&:to_s) | @lazy_loaded_cops_by_badge.keys.map(&:to_s)
       end
 
       def cops_for_department(department)
@@ -235,7 +240,8 @@ module RuboCop
 
       def sort!
         clear_enrollment_queue
-        @registry = @registry.sort_by { |badge, _| badge.cop_name }.to_h
+        load_all_lazy_cops
+        @cops_by_badge = @cops_by_badge.sort_by { |badge, _cop| badge.cop_name }.to_h
 
         self
       end
@@ -251,7 +257,9 @@ module RuboCop
       # @param [String] cop_name
       # @return [Class, nil]
       def find_by_cop_name(cop_name)
-        to_h[cop_name].first
+        clear_enrollment_queue
+        badge = Badge.parse(cop_name)
+        @cops_by_badge[badge] || load_lazy_cop(badge)
       end
 
       # When a cop name is given returns a single-element array with the cop class.
@@ -264,6 +272,7 @@ module RuboCop
 
       def freeze
         clear_enrollment_queue
+        load_all_lazy_cops
         unqualified_cop_names # build cache
         super
       end
@@ -274,6 +283,10 @@ module RuboCop
         attr_reader :global
       end
 
+      def warnings?(path)
+        @warnings[path]
+      end
+
       private
 
       def initialize_copy(reg)
@@ -284,34 +297,45 @@ module RuboCop
         return if @enrollment_queue.empty?
 
         @enrollment_queue.each do |cop|
-          @registry[cop.badge] = cop
-          @departments[cop.department] ||= []
-          @departments[cop.department] << cop
-          @cops_by_cop_name[cop.cop_name] << cop
+          @cops_by_badge[cop.badge] = cop
+          @departments << cop.department
         end
         @enrollment_queue = []
       end
 
+      def load_all_lazy_cops
+        @lazy_loaded_cops_by_badge.each_key { |badge| load_lazy_cop(badge) }
+      end
+
+      def load_lazy_cop(badge)
+        constant_name = @lazy_loaded_cops_by_badge.delete(badge)
+        return unless constant_name
+
+        @cops_by_badge[badge] = Kernel.const_get(constant_name)
+      end
+
       def with(cops)
         self.class.new(cops)
       end
 
       def resolve_badge(given_badge, real_badge, source_path, warn: true)
-        unless given_badge.match?(real_badge)
-          path = PathUtil.smart_path(source_path)
-
-          if warn
-            warn("#{path}: #{given_badge} has the wrong namespace - " \
-                 "replace it with #{given_badge.with_department(real_badge.department)}")
-          end
+        if warn && !given_badge.match?(real_badge)
+          emit_warning(source_path,
+                       "#{given_badge} has the wrong namespace - " \
+                       "replace it with #{given_badge.with_department(real_badge.department)}")
         end
 
         real_badge.to_s
       end
 
+      def emit_warning(path, message)
+        Registry.global.warnings[path] = true
+        warn "#{PathUtil.smart_path(path)}: Warning: #{message}"
+      end
+
       def registered?(badge)
         clear_enrollment_queue
-        @registry.key?(badge)
+        @cops_by_badge.key?(badge) || @lazy_loaded_cops_by_badge.key?(badge)
       end
     end
   end

data/lib/rubocop/cop/security/eval.rb

@@ -3,15 +3,28 @@
 module RuboCop
   module Cop
     module Security
-      # Checks for the use of `Kernel#eval` and `Binding#eval`.
+      # Checks for the use of `Kernel#eval` and `Binding#eval` with
+      # dynamic strings as arguments. Evaluating non-literal strings
+      # can enable code injection attacks and makes it difficult to
+      # reason about what code will actually be executed.
+      #
+      # Calls to `eval` with literal strings are not flagged by this cop,
+      # as they do not pose the same injection risk.
       #
       # @example
       #
       #   # bad
-      #
       #   eval(something)
       #   binding.eval(something)
       #   Kernel.eval(something)
+      #
+      #   # good - use safer alternatives
+      #   obj.public_send(method_name)
+      #   obj.send(method_name, *args)
+      #
+      #   # good - literal strings are allowed
+      #   eval("1 + 1")
+      #   binding.eval("foo")
       class Eval < Base
         MSG = 'The use of `eval` is a serious security risk.'
         RESTRICT_ON_SEND = %i[eval].freeze

data/lib/rubocop/cop/security/io_methods.rb

@@ -10,7 +10,7 @@ module RuboCop
       # a subprocess is created in the same way as `Kernel#open`, and its output is returned.
       # `Kernel#open` may allow unintentional command injection, which is the reason these
       # `IO` methods are a security risk.
-      # Consider to use `File.read` to disable the behavior of subprocess invocation.
+      # Consider using `File.read` to disable the behavior of subprocess invocation.
       #
       # @safety
       #   This cop is unsafe because false positive will occur if the variable passed as

data/lib/rubocop/cop/security/json_load.rb

@@ -6,22 +6,40 @@ module RuboCop
       # Checks for the use of JSON class methods which have potential
       # security issues.
       #
+      # `JSON.load` and similar methods allow deserialization of arbitrary ruby objects:
+      #
+      # [source,ruby]
+      # ----
+      # require 'json/add/string'
+      # result = JSON.load('{ "json_class": "String", "raw": [72, 101, 108, 108, 111] }')
+      # pp result # => "Hello"
+      # ----
+      #
+      # Never use `JSON.load` for untrusted user input. Prefer `JSON.parse` unless you have
+      # a concrete use-case for `JSON.load`.
+      #
+      # NOTE: Starting with `json` gem version 2.8.0, triggering this behavior without explicitly
+      # passing the `create_additions` keyword argument emits a deprecation warning, with the
+      # goal of being secure by default in the next major version 3.0.0.
+      #
       # @safety
       #   This cop's autocorrection is unsafe because it's potentially dangerous.
-      #   If using a stream, like `JSON.load(open('file'))`, it will need to call
+      #   If using a stream, like `JSON.load(open('file'))`, you will need to call
       #   `#read` manually, like `JSON.parse(open('file').read)`.
-      #   If reading single values (rather than proper JSON objects), like
-      #   `JSON.load('false')`, it will need to pass the `quirks_mode: true`
-      #   option, like `JSON.parse('false', quirks_mode: true)`.
       #   Other similar issues may apply.
       #
       # @example
       #   # bad
-      #   JSON.load("{}")
-      #   JSON.restore("{}")
+      #   JSON.load('{}')
+      #   JSON.restore('{}')
       #
       #   # good
-      #   JSON.parse("{}")
+      #   JSON.parse('{}')
+      #   JSON.unsafe_load('{}')
+      #
+      #   # good - explicit use of `create_additions` option
+      #   JSON.load('{}', create_additions: true)
+      #   JSON.load('{}', create_additions: false)
       #
       class JSONLoad < Base
         extend AutoCorrector
@@ -29,13 +47,17 @@ module RuboCop
         MSG = 'Prefer `JSON.parse` over `JSON.%<method>s`.'
         RESTRICT_ON_SEND = %i[load restore].freeze
 
-        # @!method json_load(node)
-        def_node_matcher :json_load, <<~PATTERN
-          (send (const {nil? cbase} :JSON) ${:load :restore} ...)
+        # @!method insecure_json_load(node)
+        def_node_matcher :insecure_json_load, <<~PATTERN
+          (
+            send (const {nil? cbase} :JSON) ${:load :restore}
+            ...
+            !`(pair (sym :create_additions) _)
+          )
         PATTERN
 
         def on_send(node)
-          json_load(node) do |method|
+          insecure_json_load(node) do |method|
             add_offense(node.loc.selector, message: format(MSG, method: method)) do |corrector|
               corrector.replace(node.loc.selector, 'parse')
             end

data/lib/rubocop/cop/style/access_modifier_declarations.rb

@@ -326,8 +326,7 @@ module RuboCop
           argument_less_modifier_node = find_argument_less_modifier_node(node)
           if argument_less_modifier_node
             corrector.insert_after(argument_less_modifier_node, "\n\n#{source}")
-          elsif (ancestor = node.each_ancestor(:class, :module).first)
-
+          elsif (ancestor = node.each_ancestor(:class, :module, :sclass).first)
             corrector.insert_before(ancestor.loc.end, "#{node.method_name}\n\n#{source}\n")
           else
             corrector.replace(node, "#{node.method_name}\n\n#{source}")
@@ -349,8 +348,20 @@ module RuboCop
 
         def remove_modifier_node_within_begin(corrector, modifier_node, begin_node)
           def_node = begin_node.children[begin_node.children.index(modifier_node) + 1]
-          range = modifier_node.source_range.begin.join(def_node.source_range.begin)
-          corrector.remove(range)
+          # Stop the removal range at the first comment that precedes the def, if
+          # any exist. Without this, comments between the modifier and the def are
+          # dropped because they fall inside the removed range.
+          end_pos = first_comment_or_node_start(def_node)
+          corrector.remove(modifier_node.source_range.begin.join(end_pos))
+        end
+
+        def first_comment_or_node_start(node)
+          preceding = processed_source.ast_with_comments[node].select do |comment|
+            comment.loc.line < node.loc.line
+          end
+          return node.source_range.begin if preceding.empty?
+
+          preceding.first.source_range.begin
         end
 
         def def_source(node, def_nodes)

data/lib/rubocop/cop/style/accessor_grouping.rb

@@ -4,8 +4,10 @@ module RuboCop
   module Cop
     module Style
       # Checks for grouping of accessors in `class` and `module` bodies.
-      # By default it enforces accessors to be placed in grouped declarations,
-      # but it can be configured to enforce separating them in multiple declarations.
+      # By default it enforces accessors to be placed in grouped
+      # declarations, reducing boilerplate. It can also be configured
+      # to enforce separating them into individual declarations for
+      # easier diffing and per-attribute documentation.
       #
       # NOTE: If there is a method call before the accessor method it is always allowed
       # as it might be intended like Sorbet.

data/lib/rubocop/cop/style/alias.rb

@@ -4,10 +4,13 @@ module RuboCop
   module Cop
     module Style
       # Enforces the use of either `#alias` or `#alias_method`
-      # depending on configuration.
+      # depending on configuration. Consistent use of one or the
+      # other prevents confusion about their different semantics
+      # (e.g., `alias` is resolved at parse time, while `alias_method`
+      # is resolved at runtime).
       # It also flags uses of `alias :symbol` rather than `alias bareword`.
       #
-      # However, it will always enforce `method_alias` when used `alias`
+      # However, it will always enforce `alias_method` when `alias` is used
       # in an instance method definition and in a singleton method definition.
       # If used in a block, always enforce `alias_method`
       # unless it is an `instance_eval` block.
@@ -42,6 +45,7 @@ module RuboCop
           return unless node.command?(:alias_method)
           return unless style == :prefer_alias && alias_keyword_possible?(node)
           return unless node.arguments.count == 2
+          return if alias_method_value_used?(node)
 
           msg = format(MSG_ALIAS_METHOD, current: lexical_scope_type(node))
           add_offense(node.loc.selector, message: msg) do |corrector|
@@ -77,6 +81,14 @@ module RuboCop
           scope_type(node) != :dynamic && node.arguments.all?(&:sym_type?)
         end
 
+        # `alias_method` is a method call whose return value can be used
+        # (e.g., as an argument to `public`/`module_function`, or as an assignment),
+        # but `alias` is a keyword statement that cannot appear in such positions.
+        # Detect these positions so the conversion does not produce a syntax error.
+        def alias_method_value_used?(node)
+          node.argument? || node.parent&.assignment?
+        end
+
         def alias_method_possible?(node)
           scope_type(node) != :instance_eval &&
             node.children.none?(&:gvar_type?) &&

data/lib/rubocop/cop/style/and_or.rb

@@ -128,6 +128,7 @@ module RuboCop
 
         def correct_other(node, corrector)
           return if node.parenthesized_call?
+          return if node.children.empty? && node.equal?(node.parent.children.last)
 
           corrector.wrap(node, '(', ')')
         end

data/lib/rubocop/cop/style/arguments_forwarding.rb

@@ -424,21 +424,39 @@ module RuboCop
           end
 
           def forwarded_rest_arg
-            return nil if referenced_rest_arg?
+            return @forwarded_rest_arg if defined?(@forwarded_rest_arg)
 
-            arguments.find { |arg| forwarded_rest_arg?(arg, @rest_arg_name) }
+            @forwarded_rest_arg = if referenced_rest_arg?
+                                    nil
+                                  else
+                                    arguments.find do |arg|
+                                      forwarded_rest_arg?(arg, @rest_arg_name)
+                                    end
+                                  end
           end
 
           def forwarded_kwrest_arg
-            return nil if referenced_kwrest_arg?
+            return @forwarded_kwrest_arg if defined?(@forwarded_kwrest_arg)
 
-            arguments.filter_map { |arg| extract_forwarded_kwrest_arg(arg, @kwrest_arg_name) }.first
+            @forwarded_kwrest_arg = if referenced_kwrest_arg?
+                                      nil
+                                    else
+                                      arguments.filter_map do |arg|
+                                        extract_forwarded_kwrest_arg(arg, @kwrest_arg_name)
+                                      end.first
+                                    end
           end
 
           def forwarded_block_arg
-            return nil if referenced_block_arg?
-
-            arguments.find { |arg| forwarded_block_arg?(arg, @block_arg_name) }
+            return @forwarded_block_arg if defined?(@forwarded_block_arg)
+
+            @forwarded_block_arg = if referenced_block_arg?
+                                     nil
+                                   else
+                                     arguments.find do |arg|
+                                       forwarded_block_arg?(arg, @block_arg_name)
+                                     end
+                                   end
           end
 
           def classification