Class: RuboCop::Cop::GitlabSecurity::RedirectToParamsUpdate

Inherits:

Base

• Object
• Base
• RuboCop::Cop::GitlabSecurity::RedirectToParamsUpdate

Defined in:

lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb

Overview

Check for use of redirect_to(params.update())

Passing user params to the redirect_to method provides an open redirect

Examples:

# bad
redirect_to(params.update(action: 'main'))

# good
redirect_to(allowed(params))

Constant Summary

MSG =

'Avoid using `redirect_to(params.%<name>s(...))`. ' \
'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'

Instance Method Summary

• #on_send(node) ⇒ Object
• #redirect_to_params_update_node(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb', line 27

def on_send(node)
  selected, name = redirect_to_params_update_node(node)
  return unless name

  message = format(MSG, name: name)

  add_offense(selected, message: message)
end

#redirect_to_params_update_node(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb', line 23

def_node_matcher :redirect_to_params_update_node, <<-PATTERN
   (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
PATTERN