Merge branch 'kassio/add-rubocop-for-files-decompressing' into 'master'

Add Rubocop to check system file decompressing See merge request gitlab-org/gitlab!79075

Merge branch 'kassio/add-rubocop-for-files-decompressing' into 'master'
Add Rubocop to check system file decompressing See merge request gitlab-org/gitlab!79075
a0555e94 · Alex Kalderimis · d7dc8503 · cde7fe86 · a0555e94 · a0555e94
Commit a0555e94 authored Jan 25, 2022 by Alex Kalderimis
Show whitespace changes
Inline Side-by-side

Showing with 93 additions and 0 deletions

rubocop/cop/file_decompression.rb rubocop/cop/file_decompression.rb +45 -0

spec/rubocop/cop/file_decompression_spec.rb spec/rubocop/cop/file_decompression_spec.rb +48 -0

No files found.
--- a/rubocop/cop/file_decompression.rb
+++ b/rubocop/cop/file_decompression.rb
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    # Check for symlinks when extracting files to avoid arbitrary file reading.
+    class FileDecompression < RuboCop::Cop::Cop
+      MSG = <<~EOF
+      While extracting files check for symlink to avoid arbitrary file reading.
+      https://gitlab.com/gitlab-com/gl-infra/production/-/issues/6132
+      EOF
+
+      def_node_matcher :system?, <<~PATTERN
+        (send {nil? | const} {:system | :exec | :spawn | :popen}
+          (str $_))
+      PATTERN
+
+      def_node_matcher :subshell?, <<~PATTERN
+        (xstr
+          (str $_))
+      PATTERN
+
+      FORBIDDEN_COMMANDS = %w[gunzip gzip zip tar].freeze
+
+      def on_xstr(node)
+        subshell?(node) do |match|
+          add_offense(node, message: MSG) if forbidden_command?(match)
+        end
+      end
+
+      def on_send(node)
+        system?(node) do |match|
+          add_offense(node, location: :expression, message: MSG) if forbidden_command?(match)
+        end
+      end
+
+      private
+
+      def forbidden_command?(cmd)
+        FORBIDDEN_COMMANDS.any? do |forbidden|
+          cmd.match?(forbidden)
+        end
+      end
+    end
+  end
+end
--- a/spec/rubocop/cop/file_decompression_spec.rb
+++ b/spec/rubocop/cop/file_decompression_spec.rb
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+require_relative '../../../rubocop/cop/file_decompression'
+
+RSpec.describe RuboCop::Cop::FileDecompression do
+  subject(:cop) { described_class.new }
+
+  it 'does not flag when using a system command not related to file decompression' do
+    expect_no_offenses('system("ls")')
+  end
+
+  described_class::FORBIDDEN_COMMANDS.map { [_1, '^' * _1.length] }.each do |cmd, len|
+    it "flags the when using '#{cmd}' system command" do
+      expect_offense(<<~SOURCE)
+      system('#{cmd}')
+      ^^^^^^^^#{len}^^ While extracting files check for symlink to avoid arbitrary file reading[...]
+      SOURCE
+
+      expect_offense(<<~SOURCE)
+      exec('#{cmd}')
+      ^^^^^^#{len}^^ While extracting files check for symlink to avoid arbitrary file reading[...]
+      SOURCE
+
+      expect_offense(<<~SOURCE)
+      Kernel.spawn('#{cmd}')
+      ^^^^^^^^^^^^^^#{len}^^ While extracting files check for symlink to avoid arbitrary file reading[...]
+      SOURCE
+
+      expect_offense(<<~SOURCE)
+      IO.popen('#{cmd}')
+      ^^^^^^^^^^#{len}^^ While extracting files check for symlink to avoid arbitrary file reading[...]
+      SOURCE
+    end
+
+    it "flags the when using '#{cmd}' subshell command" do
+      expect_offense(<<~SOURCE)
+      `#{cmd}`
+      ^#{len}^ While extracting files check for symlink to avoid arbitrary file reading[...]
+      SOURCE
+
+      expect_offense(<<~SOURCE)
+      %x(#{cmd})
+      ^^^#{len}^ While extracting files check for symlink to avoid arbitrary file reading[...]
+      SOURCE
+    end
+  end
+end