diff options
| author | Douwe Maan <douwe@gitlab.com> | 2018-03-14 01:38:30 +0300 |
|---|---|---|
| committer | Mark Fletcher <mark@gitlab.com> | 2018-03-16 14:58:05 +0300 |
| commit | 4b55923402f75ce7651bc173f2c3b46b397b7c88 (patch) | |
| tree | 801abc5464ae592013fce6332ccf283f9dae28ec /rubocop | |
| parent | 6b6317a5d1608a524a80116e33ec9bf90f5354a9 (diff) | |
Merge branch 'fj-15329-services-callbacks-ssrf-10-4' into 'security-10-4'
[10.4] Server Side Request Forgery in Services and Web Hooks
See merge request gitlab/gitlabhq!2347
Diffstat (limited to 'rubocop')
| -rw-r--r-- | rubocop/cop/gitlab/httparty.rb | 62 | ||||
| -rw-r--r-- | rubocop/rubocop.rb | 1 |
2 files changed, 63 insertions, 0 deletions
diff --git a/rubocop/cop/gitlab/httparty.rb b/rubocop/cop/gitlab/httparty.rb new file mode 100644 index 00000000000..215f18b6993 --- /dev/null +++ b/rubocop/cop/gitlab/httparty.rb @@ -0,0 +1,62 @@ +require_relative '../../spec_helpers' + +module RuboCop + module Cop + module Gitlab + class HTTParty < RuboCop::Cop::Cop + include SpecHelpers + + MSG_SEND = <<~EOL.freeze + Avoid calling `HTTParty` directly. Instead, use the Gitlab::HTTP + wrapper. To allow request to localhost or the private network set + the option :allow_local_requests in the request call. + EOL + + MSG_INCLUDE = <<~EOL.freeze + Avoid including `HTTParty` directly. Instead, use the Gitlab::HTTP + wrapper. To allow request to localhost or the private network set + the option :allow_local_requests in the request call. + EOL + + def_node_matcher :includes_httparty?, <<~PATTERN + (send nil? :include (const nil? :HTTParty)) + PATTERN + + def_node_matcher :httparty_node?, <<~PATTERN + (send (const nil? :HTTParty)...) + PATTERN + + def on_send(node) + return if in_spec?(node) + + add_offense(node, location: :expression, message: MSG_SEND) if httparty_node?(node) + add_offense(node, location: :expression, message: MSG_INCLUDE) if includes_httparty?(node) + end + + def autocorrect(node) + if includes_httparty?(node) + autocorrect_includes_httparty(node) + else + autocorrect_httparty_node(node) + end + end + + def autocorrect_includes_httparty(node) + lambda do |corrector| + corrector.remove(node.source_range) + end + end + + def autocorrect_httparty_node(node) + _, method_name, *arg_nodes = *node + + replacement = "Gitlab::HTTP.#{method_name}(#{arg_nodes.map(&:source).join(', ')})" + + lambda do |corrector| + corrector.replace(node.source_range, replacement) + end + end + end + end + end +end diff --git a/rubocop/rubocop.rb b/rubocop/rubocop.rb index 2f63babc425..c48b30ea00d 100644 --- a/rubocop/rubocop.rb +++ b/rubocop/rubocop.rb @@ -1,4 +1,5 @@ require_relative 'cop/gitlab/module_with_instance_variables' +require_relative 'cop/gitlab/httparty' require_relative 'cop/include_sidekiq_worker' require_relative 'cop/migration/add_column' require_relative 'cop/migration/add_concurrent_foreign_key' |