simplycop 1.0.0.pre

data/Rakefile

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'

data/bin/console

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'simplycop'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/simplycop.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'simplycop/version'
+
+module Simplycop
+  # NO-OP
+end

data/lib/simplycop/custom_cops/constantize.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module CustomCops
+  #  This cop checks for the presence of dynamically generated constants
+  #
+  # @example
+  #   #bad
+  #   "FOO_BAR".constantize
+  #
+  #   #good
+  #   FOO_BAR
+  #
+  class Constantize < RuboCop::Cop::Cop
+    MSG = 'Avoid dynamically creating constants.'
+
+    def_node_matcher :constantizing?, '(send ... :constantize)'
+
+    def on_send(node)
+      return unless constantizing?(node)
+
+      add_offense(node, location: :selector)
+    end
+  end
+end

data/lib/simplycop/custom_cops/define_method.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module CustomCops
+  #  This cop checks for dynamically defining methods
+  #
+  # @example
+  #   #bad
+  #   Foo.define_method(:bar) { p 'bar }
+  #
+  #   #good
+  #   #create the method on the object
+  #   class Foo
+  #      def self.bar
+  #        puts 'bar'
+  #      end
+  #   end
+  #
+  class DefineMethod < RuboCop::Cop::Cop
+    MSG = 'Avoid define_method.'
+
+    def_node_matcher :defining_method?, '(send _ :define_method ...)'
+
+    def on_send(node)
+      return unless defining_method?(node)
+
+      add_offense(node, location: :selector)
+    end
+  end
+end

data/lib/simplycop/custom_cops/instance_eval.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module CustomCops
+  #  This cop checks for usages of `instance_eval`
+  #
+  # @example
+  #   #bad
+  #   class Person
+  #   end
+  #
+  #   Person.instance_eval do
+  #     def human?
+  #       true
+  #     end
+  #   end
+  #
+  #   #good
+  #   class Person
+  #     def self.human?
+  #       true
+  #     end
+  #   end
+  #
+  class InstanceEval < RuboCop::Cop::Cop
+    MSG = 'Avoid instance_eval.'
+
+    def_node_matcher :instance_evaling?, '(send _ :instance_eval ...)'
+
+    def on_send(node)
+      return unless instance_evaling?(node)
+
+      add_offense(node, location: :selector)
+    end
+  end
+end

data/lib/simplycop/custom_cops/method_missing.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module CustomCops
+  #  This cop checks for the presence of `method_missing`
+  #
+  # @example
+  #   #bad
+  #   def method_missing
+  #   end
+  #
+  #   #good
+  #
+  #   not using method missing
+  #
+  class MethodMissing < RuboCop::Cop::Cop
+    MSG = 'Avoid method missing.'
+
+    def on_def(node)
+      return unless node.method?(:method_missing)
+
+      add_offense(node)
+    end
+    alias on_defs on_def
+  end
+end

data/lib/simplycop/custom_cops/timecop_without_block.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module CustomCops
+  class TimecopWithoutBlock < RuboCop::Cop::Cop
+    MSG = 'Avoid using `Timecop.%<method>s` without providing a block.'
+
+    def_node_matcher :timecop_method, '(send (const nil? :Timecop) ${:travel :freeze} ...)'
+
+    def on_send(node)
+      timecop_method(node) do |method_name|
+        return if !method_name || first_child_of_block?(node) || last_child_is_a_block(node)
+
+        add_offense(node, location: :selector, message: format(MSG, method: method_name))
+      end
+    end
+
+    private
+
+    # Checks if the given node's parent is a block, and the given node is its first child,
+    # which would mean that the block is supplied to the given node (i.e `node { block }`)
+    def first_child_of_block?(node)
+      return false unless (parent = node.parent)
+
+      return false unless parent.type == :block
+
+      parent.children.first == node
+    end
+
+    # Checks whether the last child of the given node is a block.
+    # this denotes the following structure:
+    # `Timecop.method(arg1, arg2, &block)`, which is also a valid way of passing in a block
+    def last_child_is_a_block(node)
+      node.children.last&.type == :block_pass
+    end
+  end
+end

data/lib/simplycop/security/check_for_vulnerable_code.rb

@@ -0,0 +1,34 @@
+module Security
+  class CheckForVulnerableCode < RuboCop::Cop::Cop
+    RESULT = {}
+
+    def self.read_file
+      gem_path = File.expand_path("#{File.dirname(__FILE__)}../../../../")
+
+      file = File.open("#{gem_path}/vuln_db.json", "r").read.strip
+      json = JSON.parse(file)
+      json["vulnerabilities"]["rails"]
+    end
+
+    VULNERABILITY_LIST = read_file
+
+    VULNERABILITY_LIST.each do |string|
+      search = string["search_string"]
+      info = string["info"]
+
+      RESULT[search.to_sym] = info
+      def_node_matcher search.to_sym, "(send _ :#{search} _)"
+    end
+
+    def on_send(node)
+      _, method = *node
+      return unless method
+
+      if (info = RESULT[method])
+        message = "Rails: Possible vulnerability found, CVE Details - #{info} "
+
+        add_offense(node, location: :selector, message: message)
+      end
+    end
+  end
+end

data/lib/simplycop/security/csrf_token_validation.rb

@@ -0,0 +1,18 @@
+module Security
+  class CSRFTokenValidation < RuboCop::Cop::Cop
+    MSG = 'Do not disable authenticity token validation'
+    def_node_matcher :skip_before_action, '(send _ :skip_before_action _)'
+
+    def on_send(node)
+      return unless skip_before_action(node)
+
+      _, _, parts = *node
+      method = parts.node_parts
+      add_offense(node, location: :selector) if found_match(method[0])
+    end
+
+    def found_match(method)
+      [:verify_authenticity_token , 'verify_authenticity_token'].include?(method)
+    end
+  end
+end

data/lib/simplycop/security/reject_all_requests_local.rb

@@ -0,0 +1,25 @@
+module Security
+  class RejectAllRequestsLocal < RuboCop::Cop::Cop
+    RAILS_ENV = ['integration', 'staging', 'production']
+
+    MSG = "RAILS CONFIG: Restrict usage of option 'consider_all_requests_local' on #{RAILS_ENV.join(', ')} envs"
+    def_node_matcher "consider_all_requests_local", '(send (send nil :config) :consider_all_requests_local= (true))'
+
+    def on_send(node)
+      source = node.source
+      file_name = node.loc.operator.to_s
+
+      add_offense(node, location: :selector) if found_match(source) && black_listed?(file_name)
+    end
+
+    def black_listed?(string)
+      RAILS_ENV.each_with_object([]) do |env, results|
+        results << string.include?(env)
+      end.any?(true)
+    end
+
+    def found_match(string)
+      string.match(/config.consider_all_requests\S?.*=\s?.*true/) ? true : false
+    end
+  end
+end

data/lib/simplycop/version.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# === USE Semantic Versioning ===
+# MAJOR version when you make incompatible API changes,
+# MINOR version when you add functionality in a backwards compatible manner
+# PATCH version when you make backwards compatible bug fixes.
+#
+
+module Simplycop
+  VERSION = '1.0.0.pre'
+end

data/simplycop.gemspec

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'simplycop/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'simplycop'
+  spec.version       = Simplycop::VERSION
+  spec.authors       = ['Simply Business']
+  spec.email         = ['tech@simplybusiness.co.uk']
+  spec.required_ruby_version = '>= 2.6.0'
+  spec.license       = 'Copyright SimplyBusiness'
+  spec.summary       = 'Provides a single point of reference for common rubocop rules.'
+  spec.description   = 'Require this gem in your application to use Simply Business common rubocop rules.'
+  spec.homepage      = 'https://github.com/simplybusiness/simplycop'
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'rubocop', '~> 1.3.1'
+  spec.add_dependency 'rubocop-rails', '~> 2.8.1'
+  spec.add_dependency 'rubocop-rspec', '~> 2.0.0'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake', '>= 12.3.3'
+  spec.add_development_dependency 'rspec', '~> 3.10'
+end

data/vuln_db.json

@@ -0,0 +1,8 @@
+{"vulnerabilities":
+  {"rails": [
+    {
+      "search_string": "caches_page",
+      "info": "https://nvd.nist.gov/vuln/detail/CVE-2020-8159"
+    }
+  ]}
+}

metadata

@@ -0,0 +1,159 @@
+--- !ruby/object:Gem::Specification
+name: simplycop
+version: !ruby/object:Gem::Version
+  version: 1.0.0.pre
+platform: ruby
+authors:
+- Simply Business
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-12-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.3.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.8.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.8.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.10'
+description: Require this gem in your application to use Simply Business common rubocop
+  rules.
+email:
+- tech@simplybusiness.co.uk
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".custom_simplycop.yml"
+- ".github/workflows/ci.yml"
+- ".github/workflows/publish_gem.yml"
+- ".github/workflows/version_forget_me_not.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".simplycop.yml"
+- ".simplycop_metaprogramming.yml"
+- ".simplycop_rails.yml"
+- ".simplycop_rspec.yml"
+- ".simplycop_security.yml"
+- CODEOWNERS
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/simplycop.rb
+- lib/simplycop/custom_cops/constantize.rb
+- lib/simplycop/custom_cops/define_method.rb
+- lib/simplycop/custom_cops/instance_eval.rb
+- lib/simplycop/custom_cops/method_missing.rb
+- lib/simplycop/custom_cops/timecop_without_block.rb
+- lib/simplycop/security/check_for_vulnerable_code.rb
+- lib/simplycop/security/csrf_token_validation.rb
+- lib/simplycop/security/reject_all_requests_local.rb
+- lib/simplycop/version.rb
+- simplycop.gemspec
+- vuln_db.json
+homepage: https://github.com/simplybusiness/simplycop
+licenses:
+- Copyright SimplyBusiness
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubygems_version: 3.1.4
+signing_key: 
+specification_version: 4
+summary: Provides a single point of reference for common rubocop rules.
+test_files: []