Class: RuboCop::Cop::Bundler::InsecureProtocolSource

Inherits:
RuboCop::Cop::Base show all
Extended by:
AutoCorrector
Includes:
RangeHelp
Defined in:
lib/rubocop/cop/bundler/insecure_protocol_source.rb

Overview

Passing symbol arguments to source (e.g. source :rubygems) is deprecated because they default to using HTTP requests. Instead, specify 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.

When autocorrecting, this cop will replace symbol arguments with 'https://rubygems.org'.

This cop will not replace existing sources that use http://. This may be necessary where HTTPS is not available. For example, where using an internal gem server via an intranet, or where HTTPS is prohibited. However, you should strongly prefer https:// where possible, as it is more secure.

If you don’t allow http://, please set false to AllowHttpProtocol. This option is true by default for safe autocorrection.

Examples:

# bad
source :gemcutter
source :rubygems
source :rubyforge

# good
source 'https://rubygems.org' # strongly recommended

AllowHttpProtocol: true (default)


# good
source 'http://rubygems.org' # use only if HTTPS is unavailable

AllowHttpProtocol: false


# bad
source 'http://rubygems.org'

Constant Summary collapse

MSG =
'The source `:%<source>s` is deprecated because HTTP requests ' \
'are insecure. ' \
"Please change your source to 'https://rubygems.org' " \
"if possible, or 'http://rubygems.org' if not."
MSG_HTTP_PROTOCOL =
'Use `https://rubygems.org` instead of `http://rubygems.org`.'
RESTRICT_ON_SEND =
%i[source].freeze

Instance Attribute Summary

Attributes inherited from RuboCop::Cop::Base

#config, #processed_source

Instance Method Summary collapse

Methods included from AutoCorrector

support_autocorrect?

Methods inherited from RuboCop::Cop::Base

#active_support_extensions_enabled?, #add_global_offense, #add_offense, autocorrect_incompatible_with, badge, #begin_investigation, callbacks_needed, #callbacks_needed, #config_to_allow_offenses, #config_to_allow_offenses=, #cop_config, cop_name, #cop_name, department, documentation_url, exclude_from_registry, #excluded_file?, #external_dependency_checksum, inherited, #initialize, #inspect, joining_forces, lint?, match?, #message, #offenses, #on_investigation_end, #on_new_investigation, #on_other_file, #parse, #ready, #relevant_file?, support_autocorrect?, support_multiple_source?, #target_rails_version, #target_ruby_version

Methods included from ExcludeLimit

#exclude_limit

Methods included from AutocorrectLogic

#autocorrect?, #autocorrect_enabled?, #autocorrect_requested?, #autocorrect_with_disable_uncorrectable?, #correctable?, #disable_uncorrectable?, #safe_autocorrect?

Methods included from IgnoredNode

#ignore_node, #ignored_node?, #part_of_ignored_node?

Methods included from Util

silence_warnings

Constructor Details

This class inherits a constructor from RuboCop::Cop::Base

Instance Method Details

#insecure_protocol_source?(node) ⇒ Object



54
55
56
57
# File 'lib/rubocop/cop/bundler/insecure_protocol_source.rb', line 54

def_node_matcher :insecure_protocol_source?, <<~PATTERN
  (send nil? :source
    ${(sym :gemcutter) (sym :rubygems) (sym :rubyforge) (:str "http://rubygems.org")})
PATTERN

#on_send(node) ⇒ Object



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'lib/rubocop/cop/bundler/insecure_protocol_source.rb', line 59

def on_send(node)
  insecure_protocol_source?(node) do |source_node|
    source = source_node.value
    use_http_protocol = source == 'http://rubygems.org'

    return if allow_http_protocol? && use_http_protocol

    message = if use_http_protocol
                MSG_HTTP_PROTOCOL
              else
                format(MSG, source: source)
              end

    add_offense(source_node, message: message) do |corrector|
      corrector.replace(source_node, "'https://rubygems.org'")
    end
  end
end