Merge pull request #11140 from Bo98/io-read-cop

Add cop for IO.read usage
2021-05-12 16:05:40 +01:00 · 2021-05-12 16:05:40 +01:00 · 6b8ed45db3
commit 6b8ed45db3
parent a92c194bfb e5285b5ed8
6 changed files with 117 additions and 2 deletions
--- a/Library/.rubocop.yml
+++ b/Library/.rubocop.yml
@ -54,6 +54,10 @@ FormulaAudit:
 FormulaAuditStrict:
  Enabled: true

+# enable all Homebrew custom cops
+Homebrew:
+  Enabled: true
+
 # makes DSL usage ugly.
 Layout/SpaceBeforeBrackets:
  Exclude:
--- a/Library/Homebrew/rubocops.rb
+++ b/Library/Homebrew/rubocops.rb
@ -12,6 +12,7 @@ require "rubocop-rails"
 require "rubocop-rspec"
 require "rubocop-sorbet"

+require "rubocops/io_read"
 require "rubocops/shell_commands"

 require "rubocops/formula_desc"
--- a/Library/Homebrew/rubocops/io_read.rb
+++ b/Library/Homebrew/rubocops/io_read.rb
@ -0,0 +1,35 @@
+# typed: true
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Homebrew
+      # This cop restricts usage of IO.read functions for security reasons.
+      #
+      # @api private
+      class IORead < Base
+        MSG = "The use of `IO.%<method>s` is a security risk."
+        RESTRICT_ON_SEND = [:read, :readlines].freeze
+
+        def on_send(node)
+          return if node.receiver != s(:const, nil, :IO)
+          return if safe?(node.arguments.first)
+
+          add_offense(node, message: format(MSG, method: node.method_name))
+        end
+
+        private
+
+        def safe?(node)
+          if node.str_type?
+            !node.str_content.empty? && !node.str_content.start_with?("|")
+          elsif node.dstr_type? || (node.send_type? && node.method?(:+))
+            safe?(node.children.first)
+          else
+            false
+          end
+        end
+      end
+    end
+  end
+end
--- a/Library/Homebrew/rubocops/shell_commands.rb
+++ b/Library/Homebrew/rubocops/shell_commands.rb
@ -6,7 +6,7 @@ require "rubocops/shared/helper_functions"

 module RuboCop
  module Cop
-    module Style
+    module Homebrew
      # https://github.com/ruby/ruby/blob/v2_6_3/process.c#L2430-L2460
      SHELL_BUILTINS = %w[
        !
--- a/Library/Homebrew/test/rubocops/io_read_spec.rb
+++ b/Library/Homebrew/test/rubocops/io_read_spec.rb
@ -0,0 +1,75 @@
+# typed: false
+# frozen_string_literal: true
+
+require "rubocops/io_read"
+
+describe RuboCop::Cop::Homebrew::IORead do
+  subject(:cop) { described_class.new }
+
+  it "reports an offense when `IO.read` is used with a pipe character" do
+    expect_offense(<<~RUBY)
+      IO.read("|echo test")
+      ^^^^^^^^^^^^^^^^^^^^^ The use of `IO.read` is a security risk.
+    RUBY
+  end
+
+  it "does not report an offense when `IO.read` is used without a pipe character" do
+    expect_no_offenses(<<~RUBY)
+      IO.read("file.txt")
+    RUBY
+  end
+
+  it "reports an offense when `IO.read` is used with untrustworthy input" do
+    expect_offense(<<~RUBY)
+      input = "input value from an unknown source"
+      IO.read(input)
+      ^^^^^^^^^^^^^^ The use of `IO.read` is a security risk.
+    RUBY
+  end
+
+  it "reports an offense when `IO.read` is used with a dynamic string starting with a pipe character" do
+    expect_offense(<<~'RUBY')
+      input = "test"
+      IO.read("|echo #{input}")
+      ^^^^^^^^^^^^^^^^^^^^^^^^^ The use of `IO.read` is a security risk.
+    RUBY
+  end
+
+  it "reports an offense when `IO.read` is used with a dynamic string at the start" do
+    expect_offense(<<~'RUBY')
+      input = "|echo test"
+      IO.read("#{input}.txt")
+      ^^^^^^^^^^^^^^^^^^^^^^^ The use of `IO.read` is a security risk.
+    RUBY
+  end
+
+  it "does not report an offense when `IO.read` is used with a dynamic string safely" do
+    expect_no_offenses(<<~'RUBY')
+      input = "test"
+      IO.read("somefile#{input}.txt")
+    RUBY
+  end
+
+  it "reports an offense when `IO.read` is used with a concatenated string starting with a pipe character" do
+    expect_offense(<<~'RUBY')
+      input = "|echo test"
+      IO.read("|echo " + input)
+      ^^^^^^^^^^^^^^^^^^^^^^^^^ The use of `IO.read` is a security risk.
+    RUBY
+  end
+
+  it "reports an offense when `IO.read` is used with a concatenated string starting with untrustworthy input" do
+    expect_offense(<<~'RUBY')
+      input = "|echo test"
+      IO.read(input + ".txt")
+      ^^^^^^^^^^^^^^^^^^^^^^^ The use of `IO.read` is a security risk.
+    RUBY
+  end
+
+  it "does not report an offense when `IO.read` is used with a concatenated string safely" do
+    expect_no_offenses(<<~'RUBY')
+      input = "test"
+      IO.read("somefile" + input + ".txt")
+    RUBY
+  end
+end
--- a/Library/Homebrew/test/rubocops/shell_commands_spec.rb
+++ b/Library/Homebrew/test/rubocops/shell_commands_spec.rb
@ -5,7 +5,7 @@ require "rubocops/shell_commands"

 module RuboCop
  module Cop
-    module Style
+    module Homebrew
      describe ShellCommands do
        subject(:cop) { described_class.new }