Class: RuboCop::Cop::GitlabSecurity::RedirectToParamsUpdate

Inherits:
Base
  • Object
show all
Defined in:
lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb

Overview

Check for use of redirect_to(params.update())

Passing user params to the redirect_to method provides an open redirect

Examples:


# bad
redirect_to(params.update(action: 'main'))

# good
redirect_to(allowed(params))

Constant Summary collapse

MSG =
'Avoid using `redirect_to(params.%<name>s(...))`. ' \
'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'

Instance Method Summary collapse

Instance Method Details

#on_send(node) ⇒ Object



27
28
29
30
31
32
33
34
# File 'lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb', line 27

def on_send(node)
  selected, name = redirect_to_params_update_node(node)
  return unless name

  message = format(MSG, name: name)

  add_offense(selected, message: message)
end

#redirect_to_params_update_node(node) ⇒ Object



23
24
25
# File 'lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb', line 23

def_node_matcher :redirect_to_params_update_node, <<-PATTERN
   (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
PATTERN