Class: RuboCop::Cop::Bundler::InsecureProtocolSource

Inherits:
RuboCop::Cop::Base show all
Extended by:
AutoCorrector
Defined in:
lib/rubocop/cop/bundler/insecure_protocol_source.rb

Overview

Passing symbol arguments to ‘source` (e.g. `source :rubygems`) is deprecated because they default to using HTTP requests. Instead, specify `’rubygems.org’‘ if possible, or `’rubygems.org’‘ if not.

When autocorrecting, this cop will replace symbol arguments with ‘’rubygems.org’‘.

This cop will not replace existing sources that use ‘http://`. This may be necessary where HTTPS is not available. For example, where using an internal gem server via an intranet, or where HTTPS is prohibited. However, you should strongly prefer `https://` where possible, as it is more secure.

If you don’t allow ‘http://`, please set `false` to `AllowHttpProtocol`. This option is `true` by default for safe autocorrection.

Examples:

# bad
source :gemcutter
source :rubygems
source :rubyforge

# good
source 'https://rubygems.org' # strongly recommended

AllowHttpProtocol: true (default)


# good
source 'http://rubygems.org' # use only if HTTPS is unavailable

AllowHttpProtocol: false


# bad
source 'http://rubygems.org'

Constant Summary collapse

MSG =
'The source `:%<source>s` is deprecated because HTTP requests ' \
'are insecure. ' \
"Please change your source to 'https://rubygems.org' " \
"if possible, or 'http://rubygems.org' if not."
MSG_HTTP_PROTOCOL =
'Use `https://rubygems.org` instead of `http://rubygems.org`.'
RESTRICT_ON_SEND =
%i[source].freeze

Instance Attribute Summary

Attributes inherited from RuboCop::Cop::Base

#config, #processed_source

Instance Method Summary collapse

Methods included from AutoCorrector

support_autocorrect?

Methods inherited from RuboCop::Cop::Base

#active_support_extensions_enabled?, #add_global_offense, #add_offense, #always_autocorrect?, autocorrect_incompatible_with, badge, #begin_investigation, #callbacks_needed, callbacks_needed, #config_to_allow_offenses, #config_to_allow_offenses=, #contextual_autocorrect?, #cop_config, cop_name, #cop_name, department, documentation_url, exclude_from_registry, #excluded_file?, #external_dependency_checksum, inherited, #initialize, #inspect, joining_forces, lint?, match?, #message, #offenses, #on_investigation_end, #on_new_investigation, #on_other_file, #parse, #parser_engine, #ready, #relevant_file?, requires_gem, #string_literals_frozen_by_default?, support_autocorrect?, support_multiple_source?, #target_rails_version, #target_ruby_version

Methods included from ExcludeLimit

#exclude_limit

Methods included from AutocorrectLogic

#autocorrect?, #autocorrect_enabled?, #autocorrect_requested?, #autocorrect_with_disable_uncorrectable?, #correctable?, #disable_uncorrectable?, #safe_autocorrect?

Methods included from IgnoredNode

#ignore_node, #ignored_node?, #part_of_ignored_node?

Methods included from Util

silence_warnings

Constructor Details

This class inherits a constructor from RuboCop::Cop::Base

Instance Method Details

#insecure_protocol_source?(node) ⇒ Object



53
54
55
56
# File 'lib/rubocop/cop/bundler/insecure_protocol_source.rb', line 53

def_node_matcher :insecure_protocol_source?, <<~PATTERN
  (send nil? :source
    ${(sym :gemcutter) (sym :rubygems) (sym :rubyforge) (:str "http://rubygems.org")})
PATTERN

#on_send(node) ⇒ Object



58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/rubocop/cop/bundler/insecure_protocol_source.rb', line 58

def on_send(node)
  insecure_protocol_source?(node) do |source_node|
    source = source_node.value
    use_http_protocol = source == 'http://rubygems.org'

    return if allow_http_protocol? && use_http_protocol

    message = if use_http_protocol
                MSG_HTTP_PROTOCOL
              else
                format(MSG, source: source)
              end

    add_offense(source_node, message: message) do |corrector|
      corrector.replace(source_node, "'https://rubygems.org'")
    end
  end
end