Class: RuboCop::Cop::GitHub::InsecureHashAlgorithm

Inherits:
RuboCop::Cop
  • Object
show all
Defined in:
lib/rubocop/cop/github/insecure_hash_algorithm.rb

Constant Summary collapse

MSG = 
"This hash function is not allowed"
UUID_V3_MSG = 
"uuid_v3 uses MD5, which is not allowed"
UUID_V5_MSG = 
"uuid_v5 uses SHA1, which is not allowed"
DEFAULT_ALLOWED =

Built-in hash functions are listed in these docs:

https://ruby-doc.org/stdlib-2.7.0/libdoc/digest/rdoc/Digest.html
https://ruby-doc.org/stdlib-2.7.0/libdoc/openssl/rdoc/OpenSSL/Digest.html

%w[
  SHA256
  SHA384
  SHA512
].freeze

Instance Method Summary collapse

Instance Method Details

#alg_name(val) ⇒ Object 



99
100
101
102
103
104
105
106
107
108
 
# File 'lib/rubocop/cop/github/insecure_hash_algorithm.rb', line 99

def alg_name(val)
  return :nil if val.nil?
  return val.to_s.downcase unless val.is_a?(RuboCop::AST::Node)
  case val.type
  when :sym, :str
    val.children.first.to_s.downcase
  else
    val.type
  end
end

#allowed_hash_functionsObject 



95
96
97
 
# File 'lib/rubocop/cop/github/insecure_hash_algorithm.rb', line 95

def allowed_hash_functions
  @allowed_algorithms ||= cop_config.fetch("Allowed", DEFAULT_ALLOWED).map(&:downcase)
end

#insecure_algorithm?(val) ⇒ Boolean

Returns:



65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/rubocop/cop/github/insecure_hash_algorithm.rb', line 65

def insecure_algorithm?(val)
  return false if val == :Digest # Don't match "Digest::Digest".
  case alg_name(val)
  when *allowed_hash_functions
    false
  when Symbol
    # can't figure this one out, it's nil or a var or const.
    false
  else
    true
  end
end

#just_encoding?(val) ⇒ Boolean

Returns:



82
83
84
 
# File 'lib/rubocop/cop/github/insecure_hash_algorithm.rb', line 82

def just_encoding?(val)
  val == :hexencode || val == :bubblebabble
end

#not_just_encoding?(val) ⇒ Boolean

Returns:



78
79
80
 
# File 'lib/rubocop/cop/github/insecure_hash_algorithm.rb', line 78

def not_just_encoding?(val)
  !just_encoding?(val)
end

#on_const(const_node) ⇒ Object 



110
111
112
113
114
 
# File 'lib/rubocop/cop/github/insecure_hash_algorithm.rb', line 110

def on_const(const_node)
  if insecure_const?(const_node) && !digest_uuid?(const_node)
    add_offense(const_node, message: MSG)
  end
end

#on_send(send_node) ⇒ Object 



116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
 
# File 'lib/rubocop/cop/github/insecure_hash_algorithm.rb', line 116

def on_send(send_node)
  case
  when uuid_v3?(send_node)
    unless allowed_hash_functions.include?("md5")
      add_offense(send_node, message: UUID_V3_MSG)
    end
  when uuid_v5?(send_node)
    unless allowed_hash_functions.include?("sha1")
      add_offense(send_node, message: UUID_V5_MSG)
    end
  when openssl_hmac_new?(send_node)
    if openssl_hmac_new_insecure?(send_node)
      add_offense(send_node, message: MSG)
    end
  when insecure_digest?(send_node)
    add_offense(send_node, message: MSG)
  when insecure_hash_lookup?(send_node)
    add_offense(send_node, message: MSG)
  end
end