spektr 0.4.1 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5efc76d3f9085d5aa78df1f4f0573e8b57bf6a19a80fe80366ffb9dc5f5b0ffe
-  data.tar.gz: 285b537f82854ec9a0dd24291478386c89118895ecb14151826078289d97e071
+  metadata.gz: 2b586f883df20f845c122f773d27dc2c63667d9ed2a69f06c3f3069ad7b29241
+  data.tar.gz: 99ae92d6f76d3cb0d26959893ee49d7351628f4813f12cfd4a606f0089e4ac16
 SHA512:
-  metadata.gz: 34d8eaf274fb3ebe686357bee5db03de636c12ae870426c9f1804ef26a1038122b3ef9746c66c2f7121d7af74631d12186e63cb5b8007aade6450252fceacaca
-  data.tar.gz: 0c51dfaf5a328e3f60b14c21296d684308b073b222101fb5294fc9189a5c699f00e7b417c7246d5a4fd1d2dfa7e36b152fbaacbe4271c7d6c318948e7a844d72
+  metadata.gz: 7247491a03096d550b1a08e4eab89cfcb6e61526057ec6a6726d45981b404feb3898392f733bcb94de78711c883eec3b6d65f95e6ae10a2480574c9f928b1f1a
+  data.tar.gz: 97030d2527e8c3d8aa1ee9ec9e0afbe4bebe5092189ff8511e4dc86744fa64ba0926f88173d33dabe433c7bbd64db3d2756aa323f79fe383edff7af2474bdc6c

data/.github/workflows/ci.yaml

@@ -18,11 +18,11 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [2.7, 3.0]
+        ruby: [3.2, 3.3, 3.4]
     steps:
       - uses: actions/checkout@v2
       - name: Set up Ruby
-        uses: ruby/setup-ruby@477b21f02be01bcb8030d50f37cfec92bfa615b6
+        uses: ruby/setup-ruby@v1
         with:
           bundler-cache: true
           ruby-version: ${{ matrix.ruby }}

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+## 0.5.0
+
+* change parser to Prism
+
 ## 0.4.1
 
 * fix core extension eager loading

data/CODE_OF_CONDUCT.md

@@ -1,74 +1,3 @@
 # Contributor Covenant Code of Conduct
 
-## Our Pledge
-
-In the interest of fostering an open and welcoming environment, we as
-contributors and maintainers pledge to making participation in our project and
-our community a harassment-free experience for everyone, regardless of age, body
-size, disability, ethnicity, gender identity and expression, level of experience,
-nationality, personal appearance, race, religion, or sexual identity and
-orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to creating a positive environment
-include:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior by participants include:
-
-* The use of sexualized language or imagery and unwelcome sexual attention or
-advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
-  address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Our Responsibilities
-
-Project maintainers are responsible for clarifying the standards of acceptable
-behavior and are expected to take appropriate and fair corrective action in
-response to any instances of unacceptable behavior.
-
-Project maintainers have the right and responsibility to remove, edit, or
-reject comments, commits, code, wiki edits, issues, and other contributions
-that are not aligned to this Code of Conduct, or to ban temporarily or
-permanently any contributor for other behaviors that they deem inappropriate,
-threatening, offensive, or harmful.
-
-## Scope
-
-This Code of Conduct applies both within project spaces and in public spaces
-when an individual is representing the project or its community. Examples of
-representing a project or community include using an official project e-mail
-address, posting via an official social media account, or acting as an appointed
-representative at an online or offline event. Representation of a project may be
-further defined and clarified by project maintainers.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at molnargerg@gmail.com. All
-complaints will be reviewed and investigated and will result in a response that
-is deemed necessary and appropriate to the circumstances. The project team is
-obligated to maintain confidentiality with regard to the reporter of an incident.
-Further details of specific enforcement policies may be posted separately.
-
-Project maintainers who do not follow or enforce the Code of Conduct in good
-faith may face temporary or permanent repercussions as determined by other
-members of the project's leadership.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at [https://contributor-covenant.org/version/1/4][version]
-
-[homepage]: https://contributor-covenant.org
-[version]: https://contributor-covenant.org/version/1/4/
+Same as Ruby: [https://www.ruby-lang.org/en/conduct/](https://www.ruby-lang.org/en/conduct/)

data/lib/spektr/app.rb

@@ -3,10 +3,6 @@ module Spektr
     attr_accessor :root, :checks, :initializers, :controllers, :models, :views, :lib_files, :routes, :warnings, :rails_version,
                   :production_config, :gem_specs, :ruby_version
 
-    def self.parser
-      @@parser ||= Parser::CurrentRuby
-    end
-
     def initialize(checks:, ignore: [], root: './')
       @root = root
       @checks = checks
@@ -21,43 +17,6 @@ module Spektr
       @ruby_version = '2.7.1'
       version_file = File.join(root, '.ruby-version')
       @ruby_version = File.read(version_file).lines.first if File.exist?(version_file)
-      case @ruby_version
-      when /^2\.0\./
-        require 'parser/ruby20'
-        @@parser = Parser::Ruby20
-      when /^2\.1\./
-        require 'parser/ruby21'
-        @@parser = Parser::Ruby21
-      when /^2\.2\./
-        require 'parser/ruby22'
-        @@parser = Parser::Ruby22
-      when /^2\.3/
-        require 'parser/ruby23'
-        @@parser = Parser::Ruby23
-      when /^2\.4\./
-        require 'parser/ruby24'
-        @@parser = Parser::Ruby24
-      when /^2\.5\./
-        require 'parser/ruby25'
-        @@parser = Parser::Ruby25
-      when /^2\.6\./
-        require 'parser/ruby26'
-        @@parser = Parser::Ruby26
-      when /^2\.7\./
-        require 'parser/ruby27'
-        @@parser = Parser::Ruby27
-      when /^3\.0\./
-        require 'parser/ruby30'
-        @@parser = Parser::Ruby30
-      when /^3\.1\./
-        require 'parser/ruby31'
-        @@parser = Parser::Ruby31
-      when /^3\.2\./
-        require 'parser/ruby32'
-        @@parser = Parser::Ruby32
-      else
-        @@parser = Parser::CurrentRuby
-      end
     end
 
     def load
@@ -94,12 +53,7 @@ module Spektr
       # TODO: load non-app lib too
       @lib_files = find_files('lib').map do |path|
         next if loaded_files.include?(path)
-        begin
-          Targets::Base.new(path, File.read(path, encoding: 'utf-8'))
-        rescue Parser::SyntaxError => e
-          ::Spektr.logger.debug "Couldn't parse #{path}: #{e.message}"
-          nil
-        end
+        Targets::Base.new(path, File.read(path, encoding: 'utf-8'))
       end.reject(&:nil?)
       self
     end
@@ -158,7 +112,7 @@ module Spektr
           name: warning.check.name,
           description: warning.message,
           path: warning.path,
-          location: warning.location&.line,
+          location: warning.location&.start_line,
           line: warning.line,
           check: warning.check.class.name,
           fingerprint: warning.fingerprint

data/lib/spektr/checks/base.rb

@@ -36,19 +36,41 @@ module Spektr
     def dupe?(path, location, message)
       @app.warnings.find do |w|
         w.path == path &&
-          (w.location.nil? || w.location&.line == location&.line) &&
+          (w.location.nil? || w.location&.start_line == location&.start_line) &&
           w.message == message
       end
     end
 
     def version_affected; end
 
-    def user_input?(type, name, ast = nil, object = nil)
-      case type
-      when :ivar, :lvar
-        # TODO: handle helpers here too
-        return false unless @target.instance_of?(Spektr::Targets::View)
-
+    def user_input?(node)
+      return false if node.nil?
+      case node.type
+      when :call_node
+        return true if %i[params cookies request].include? node.name
+        return true if node.receiver && user_input?(node.receiver)
+        if node.arguments
+          node.arguments.arguments.each do |argument|
+            return true if user_input?(argument)
+          end
+        end
+      when :embedded_statements_node
+        node.statements.body.each do |item|
+          return true if user_input? item
+        end
+      when :interpolated_string_node, :interpolated_x_string_node
+        node.parts.each do |part|
+          return true if user_input?(part)
+        end
+      when :keyword_hash_node, :hash_node
+        node.elements.each do |element|
+          return true if user_input?(element.key)
+          return true if user_input?(element.value)
+        end
+      # TODO: make this better. ivars can be overridden in the view as well and
+      # can be set in non controller targets too
+      when :instance_variable_read_node
+        return false unless @target.respond_to?(:view_path)
         actions = []
         @app.controllers.each do |controller|
           actions = actions.concat controller.actions.select { |action|
@@ -56,55 +78,33 @@ module Spektr
           }
         end
         actions.each do |action|
+          next unless action.body
           action.body.each do |exp|
-            return exp.user_input? if exp.is_a?(Exp::Ivasign) && exp.name == name
-          end
-        end
-        false
-      when :send
-        if ast.children.first&.type == :send
-          child = ast.children.first
-          return user_input?(child.type, child.children.last, child)
-        end
-        return true if %i[params cookies request].include? name
-      when :xstr, :begin
-        ast.children.each do |child|
-          next unless child.is_a?(Parser::AST::Node)
-          return true if user_input?(child.type, child.children.last, child)
-        end
-      when :dstr
-        object&.children&.each do |child|
-          if child.is_a?(Parser::AST::Node)
-            name = nil
-            ast = child
-          else
-            name = child.name
-            ast = child.ast
+            return true if exp.name == node.name && user_input?(exp)
           end
-          return true if user_input?(child.type, name, ast)
         end
-      when :lvasgn
-        ast.children.each do |child|
-          next unless child.is_a?(Parser::AST::Node)
-          return true if user_input?(child.type, child.children.last, child)
+      when :local_variable_read_node
+        return user_input?(@target.lvars.find{|n| n.name == node.name })
+      when :instance_variable_write_node, :local_variable_write_node
+        return user_input? node.value
+      when :parentheses_node
+        node.body.body.each do |item|
+          return user_input? item
         end
-      when :block, :pair, :hash, :array, :if, :or
-        ast.children.each do |child|
-          next unless child.is_a?(Parser::AST::Node)
-          return true if user_input?(child.type, child.children.last, child)
-        end
-      when :sym, :str, :const, :int, :cbase, :true, :self, :args, :nil, :yield
+
+      when :string_node, :symbol_node, :constant_read_node, :integer_node, :true_node, :constant_path_node
         # do nothing
       else
-        raise "Unknown argument type #{type} #{name} #{ast.inspect}"
+        raise "Unknown argument type #{node.type.inspect} #{node.inspect}"
       end
+      false
     end
 
     # TODO: this doesn't work properly
-    def model_attribute?(item)
+    def model_attribute?(node)
       model_names = @app.models.collect(&:name)
-      case item.type
-      when :ivar, :lvar
+      case node.type
+      when :local_variable_read_node, :instance_variable_read_node
         # TODO: handle helpers here too
         if ["Spektr::Targets::Controller", "Spektr::Targets::View"].include?(@target.class.name)
           actions = []
@@ -115,27 +115,32 @@ module Spektr
           end
           actions.each do |action|
             action.body.each do |exp|
-              return exp.user_input? if exp.is_a?(Exp::Ivasign) && exp.name == item.name
+              next unless node.respond_to?(:name)
+              return model_attribute?(exp.value) if exp.is_a?(Prism::InstanceVariableWriteNode) && exp.name == node.name
             end
           end
         end
-      when :send
-        ast = item.is_a?(Parser::AST::Node) ? item : item.ast
-        _send = Exp::Send.new(ast)
-        return true if _send.receiver && model_names.include?(_send.receiver.name)
-      when :const
-        return true if model_names.include? item.name
-      when :block, :pair, :hash, :array, :if, :or
-        item.children.each do |child|
-          next unless child.is_a?(Parser::AST::Node)
-          return true if model_attribute?(child)
+      when :call_node
+        return model_attribute?(node.receiver) if node.receiver
+        if node.arguments
+          node.arguments.arguments.each do |argument|
+            return true if model_attribute?(argument)
+          end
+        end
+      when :parentheses_node
+        node.body.body.each do |item|
+          return model_attribute? item
+        end
+      when :constant_read_node
+        return true if model_names.include? node.name.to_s
+      when :interpolated_string_node
+        node.parts.each do |item|
+          return model_attribute? item
         end
-      when :dstr
-        # TODO: implement this
-      when :sym, :str, :nil, :yield
+      when :string_node, :symbol_node, :integer_node, :constant_path_node
         # do nothing
       else
-        raise "Unknown argument type #{item.type}"
+        raise "Unknown argument type #{node.type}"
       end
     end
 
@@ -147,5 +152,25 @@ module Spektr
       version = Gem::Version.new(version) unless version.is_a? Gem::Version
       version >= Gem::Version.new(a) && version <= Gem::Version.new(b)
     end
+
+    def receivers_for(node)
+      receivers = []
+      receiver = node.receiver
+      while receiver
+        receivers <<  receiver.name
+        receiver = receiver.respond_to?(:receiver) ? receiver.receiver : false
+      end
+      receivers
+    end
+
+    def full_receiver(node)
+      parents = []
+      parent = node.receiver.parent if node.receiver.respond_to?(:parent)
+      while parent
+        parents <<  parent.name
+        parent = parent.respond_to?(:parent) ? parent.parent : false
+      end
+      parents.reverse.concat(receivers_for(node).reverse).join(".")
+    end
   end
 end

data/lib/spektr/checks/basic_auth.rb

@@ -17,7 +17,8 @@ module Spektr
       def check_filter
         calls = @target.find_calls(:http_basic_authenticate_with)
         calls.each do |call|
-          if call.options[:password] && call.options[:password].value_type == :str
+          password = call.arguments.arguments.first.elements.find{|e| e.key.unescaped == "password" }
+          if password && password.value.type == :string_node
             warn! @target, self, call.location, "Basic authentication password stored in source code"
           end
         end

data/lib/spektr/checks/command_injection.rb

@@ -11,15 +11,15 @@ module Spektr
       def run
         return unless super
         # backticks
-        @target.find_xstr.each do |call|
-          argument = call.arguments.first
-          next unless argument
-          if user_input?(argument.type, argument.name, argument.ast, argument)
-            warn! @target, self, call.location, "Command injection in #{call.name}"
+        @target.interpolated_xstrings.each do |call|
+          call.parts.each do |part|
+            if user_input?(part)
+              warn! @target, self, call.location, "Command injection"
+            end
           end
         end
 
-        targets = ["IO", "Open3", "Kernel", "POSIX::Spawn", "Process", false]
+        targets = [:IO, :Open3, :Kernel, :Spawn, :Process, false]
         methods = [:capture2, :capture2e, :capture3, :exec, :pipeline, :pipeline_r,
         :pipeline_rw, :pipeline_start, :pipeline_w, :popen, :popen2, :popen2e,
         :popen3, :spawn, :syscall, :system, :open]
@@ -32,13 +32,18 @@ module Spektr
 
       def check_calls(calls)
         # TODO: might need to exclude tempfile and ActiveStorage::Filename
+        return if calls.empty?
         calls.each do |call|
-          file_name = call.arguments.first
-          next unless file_name
-          if user_input?(file_name.type, file_name.name, file_name.ast, file_name)
+          if call.arguments.is_a?(Prism::ArgumentsNode)
+            argument = call.arguments.arguments.first
+          else
+            argument = call.arguments.first
+          end
+          next unless argument
+          if user_input?(argument) || model_attribute?(argument)
             warn! @target, self, call.location, "Command injection in #{call.name}"
           # TODO: interpolation, but might be safe, we should make this better
-          elsif file_name.type == :dstr
+          elsif argument.type == :embedded_statements_node
             warn! @target, self, call.location, "Command injection in #{call.name}", :low
           end
         end

data/lib/spektr/checks/content_tag_xss.rb

@@ -29,19 +29,27 @@ module Spektr
         cve_2016_6316_check(calls)
 
         calls.each do |call|
-          call.arguments.each do |argument|
-            if user_input?(argument.type, argument.name, argument.ast) && @app.rails_version < Gem::Version.new("3.0")
-              warn! @target, self, call.location, "Unescaped parameter in content_tag"
+          call.arguments.is_a?(Prism::ArgumentsNode) ? arguments = call.arguments.arguments : call.arguments
+          arguments.each do |argument|
+            if user_input?(argument) && @app.rails_version < Gem::Version.new("3.0")
+              warn! @target, self, call.location, "Unescaped parameter in content_tag in Rails < 3.0"
             end
-          end
-
-          if call.options.any?
-            call.options.each_value do |option|
-              if user_input?(option.key.type, option.key.children.last)
-                warn! @target, self, call.location, "Unescaped attribute name in content_tag"
+            if argument.is_a?(Prism::KeywordHashNode)
+              argument.elements.each do |element|
+                if user_input?(element.key)
+                  warn! @target, self, call.location, "Unescaped parameter in content_tag at #{element.key.name}"
+                end
               end
             end
           end
+
+          # if call.options.any?
+          #   call.options.each_value do |option|
+          #     if user_input?(option.key.type, option.key.children.last)
+          #       warn! @target, self, call.location, "Unescaped attribute name in content_tag"
+          #     end
+          #   end
+          # end
         end
       end
 

data/lib/spektr/checks/cookie_serialization.rb

@@ -12,7 +12,7 @@ module Spektr
       def run
         return unless super
         calls = @target.find_calls(:cookies_serializer=)
-        if calls.any?{ |call| call.receiver.expanded == "Rails.application.config.action_dispatch" && call.arguments.first.name == :marshal }
+        if calls.any?{ |call| full_receiver(call) == "Rails.application.config.action_dispatch" && call.arguments.arguments.first.unescaped == "marshal" }
           warn! @target, self, calls.first.location, "Marshal cookie serialization strategy can lead to remote code execution"
         end
       end

data/lib/spektr/checks/create_with.rb

@@ -13,9 +13,9 @@ module Spektr
         if app_version_between?("4.0.0", "4.0.8") || app_version_between?("4.1.0", "4.1.5")
           calls = @target.find_calls(:create_with)
           calls.each do |call|
-            call.arguments.each do |argument|
-              if user_input?(argument.type, argument.name, argument.ast)
-                next if argument.ast.children[1] == :permit
+            call.arguments.arguments.each do |argument|
+              if user_input?(argument)
+                next if argument.name == :permit
                 warn! @target, self, call.location, "create_with is vulnerable to strong params bypass"
               end
             end

data/lib/spektr/checks/csrf_setting.rb

@@ -12,27 +12,13 @@ module Spektr
         return unless super
         return if @target.concern?
 
-        enabled = false
         target = @target
-        while target
-          parent_controller = target.find_parent(@app.controllers)
-          enabled = parent_controller && parent_controller.find_calls(:protect_from_forgery).any?
-          break if enabled || parent_controller.nil?
+        return if @target.find_calls(:skip_forgery_protection).none?
 
-          target = parent_controller
-        end
-        return if enabled && @target.find_calls(:skip_forgery_protection).none?
+        skip = @target.find_calls(:skip_forgery_protection).last
+        return if skip && skip.arguments && skip.arguments.arguments.first.elements.map(&:key).map(&:unescaped).intersection(%w[only except]).any?
 
-        if @target.find_calls(:protect_from_forgery).none? || (enabled && @target.find_calls(:skip_forgery_protection).any?)
-          skip = @target.find_calls(:skip_forgery_protection).last
-          return if enabled && skip && skip.options.keys.intersection(%i[only except]).any?
-
-          warn! @target, self, nil, 'protect_from_forgery should be enabled'
-        end
-        if @target.find_calls(:skip_forgery_protection).any?
-          return @target.find_calls(:skip_forgery_protection).last.options.keys.intersection(%i[only except]).any?
-          warn! @target, self, nil, 'protect_from_forgery should be enabled'
-        end
+        warn! @target, self, nil, 'protect_from_forgery should be enabled'
       end
     end
   end

data/lib/spektr/checks/default_routes.rb

@@ -22,11 +22,12 @@ module Spektr
             memo
           end
           calls.each do |call|
-            if call.arguments.first.name == ":controller(/:action(/:id(.:format)))" or (call.arguments.first.name.include?(":controller") &&  (call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action")) )
+            argument_value = call.arguments.arguments.first.unescaped
+            if argument_value == ":controller(/:action(/:id(.:format)))" or (argument_value.include?(":controller") &&  (argument_value.include?(":action") or argument_value.include?("*action")) )
               warn! @target, self, call.location, "All public methods in controllers are available as actions"
             end
 
-            if call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action")
+            if argument_value.include?(":action") or argument_value.include?("*action")
               warn! @target, self, call.location, "All public methods in controllers are available as actions"
             end
           end

data/lib/spektr/checks/deserialize.rb

@@ -18,41 +18,37 @@ module Spektr
       end
 
       def check_csv
-        check_method(:load, "CSV")
+        check_method(:load, :CSV)
       end
 
       # TODO: handle safe yaml
       def check_yaml
         [:load_documents, :load_stream, :parse_documents, :parse_stream].each do |method|
-          check_method(method, "YAML")
+          check_method(method, :YAML)
         end
       end
 
       def check_marshal
         [:load, :restore].each do |method|
-          check_method(method, "Marshal")
+          check_method(method, :Marshal)
         end
       end
 
       def check_oj
-        check_method(:object_load, "Oj")
+        check_method(:object_load, :Oj)
         safe_default = false
-        safe_default = true if @target.find_calls(:mimic_JSON, "Oj").any?
-        call = @target.find_calls(:default_options=, "Oj").last
-        safe_default = true if call && call.options[:mode]&.value != :object
+        safe_default = true if @target.find_calls(:mimic_JSON, :Oj).any?
+        call = @target.find_calls(:default_options=, :Oj).last
+        safe_default = true if call && call.arguments.arguments.first.elements.find{|e| e.key.unescaped == "mode" }.value.unescaped != "object"
         unless safe_default
-          check_method(:load, "Oj")
+          check_method(:load, :Oj)
         end
       end
 
       def check_method(method, receiver)
         calls = @target.find_calls(method, receiver)
         calls.each do |call|
-          argument = call.arguments.first
-          if argument.ast.type == :send && argument.ast.children.last.children.first.is_a?(Parser::AST::Node)
-            argument = Exp::Argument.new(argument.ast.children.last.children.first)
-          end
-          if user_input?(argument.type, argument.name, argument.ast)
+          if user_input?(call.arguments.arguments.first)
             warn! @target, self, call.location, "#{receiver}.#{method} is called with user supplied value"
           end
         end

data/lib/spektr/checks/detailed_exceptions.rb

@@ -16,12 +16,12 @@ module Spektr
       def run
         return unless super
         call = @target.find_calls(:consider_all_requests_local=).last
-        if call && call.arguments.first.type == :true
+        if call && call.arguments.arguments.first.type == :true_node
           warn! @target, self, call.location, "Detailed exceptions are enabled in production"
         end
         # TODO: make this better, by verifying that the method body is not empty, etc
-        if method = @target.find_method(:show_detailed_exceptions?)
-          warn! @target, self, method.location, "Detailed exceptions may be enabled in #{@target.name}"
+        if call = @target.find_method(:show_detailed_exceptions?)
+          warn! @target, self, call.location, "Detailed exceptions may be enabled in #{@target.name}"
         end
       end
     end

data/lib/spektr/checks/dynamic_finders.rb

@@ -13,8 +13,8 @@ module Spektr
         return unless super
         if app_version_between?("2.0.0", "4.1.99") && @app.has_gem?("mysql")
           @target.find_calls(/^find_by_/).each do |call|
-            call.arguments.each do |argument|
-              if user_input?(argument.type, argument.name, argument.ast)
+            call.arguments.arguments.each do |argument|
+              if user_input?(argument)
                 warn! @target, self, call.location, "MySQL integer conversion may cause 0 to match any string"
               end
             end

data/lib/spektr/checks/evaluation.rb

@@ -12,8 +12,8 @@ module Spektr
         return unless super
         [:eval, :instance_eval, :class_eval, :module_eval].each do |name|
           @target.find_calls(name).each do |call|
-            call.arguments.each do |argument|
-              if user_input?(argument.type, argument.name, argument.ast)
+            call.arguments.arguments.each do |argument|
+              if user_input?(argument)
                 warn! @target, self, call.location, "User input in eval"
               end
             end