Merge branch '293024-fix-httparty-basic-auth' into 'master'

Add custom cop to prevent invalid HTTParty usage See merge request gitlab-org/gitlab!49878

Merge branch '293024-fix-httparty-basic-auth' into 'master'
Add custom cop to prevent invalid HTTParty usage See merge request gitlab-org/gitlab!49878
d4f8d92b · Rémy Coutable · 4749fbda · 921d6af5 · d4f8d92b · d4f8d92b
Commit d4f8d92b authored Dec 16, 2020 by Rémy Coutable
6 changed files
--- a/changelogs/unreleased/293024-fix-httparty-basic-auth.yml
+++ b/changelogs/unreleased/293024-fix-httparty-basic-auth.yml
+---
+title: Add custom cop to prevent invalid HTTParty usage
+merge_request: 49878
+author: Ethan Reesor (@firelizzard)
+type: fixed
--- a/rubocop/cop/rspec/httparty_basic_auth.rb
+++ b/rubocop/cop/rspec/httparty_basic_auth.rb
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module RSpec
+      # This cop checks for invalid credentials passed to HTTParty
+      #
+      # @example
+      #
+      #   # bad
+      #   HTTParty.get(url, basic_auth: { user: 'foo' })
+      #
+      #   # good
+      #   HTTParty.get(url, basic_auth: { username: 'foo' })
+      class HTTPartyBasicAuth < RuboCop::Cop::Cop
+        MESSAGE = "`basic_auth: { user: ... }` does not work - replace `user:` with `username:`".freeze
+
+        RESTRICT_ON_SEND = %i(get put post delete).freeze
+
+        def_node_matcher :httparty_basic_auth?, <<~PATTERN
+          (send
+            (const _ :HTTParty)
+            {#{RESTRICT_ON_SEND.map(&:inspect).join(' ')}}
+            <(hash
+              <(pair
+                (sym :basic_auth)
+                (hash
+                  <(pair $(sym :user) _) ...>
+                )
+              ) ...>
+            ) ...>
+          )
+        PATTERN
+
+        def on_send(node)
+          return unless m = httparty_basic_auth?(node)
+
+          add_offense(m, location: :expression, message: MESSAGE)
+        end
+
+        def autocorrect(node)
+          lambda do |corrector|
+            corrector.replace(node.loc.expression, 'username')
+          end
+        end
+      end
+    end
+  end
+end
--- a/spec/features/file_uploads/git_lfs_spec.rb
+++ b/spec/features/file_uploads/git_lfs_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe 'Upload a git lfs object', :js do
    HTTParty.put(
      url,
      headers: headers,
-      basic_auth: { user: user.username, password: personal_access_token.token },
+      basic_auth: { username: user.username, password: personal_access_token.token },
      body: file.read
    )
  end

--- a/spec/features/file_uploads/multipart_invalid_uploads_spec.rb
+++ b/spec/features/file_uploads/multipart_invalid_uploads_spec.rb
@@ -17,7 +17,7 @@ RSpec.describe 'Invalid uploads that must be rejected', :api, :js do
    subject do
      HTTParty.put(
        url,
-        basic_auth: { user: user.username, password: personal_access_token.token },
+        basic_auth: { username: user.username, password: personal_access_token.token },
        body: body
      )
    end

--- a/spec/features/file_uploads/nuget_package_spec.rb
+++ b/spec/features/file_uploads/nuget_package_spec.rb
@@ -16,7 +16,7 @@ RSpec.describe 'Upload a nuget package', :api, :js do
  subject do
    HTTParty.put(
      url,
-      basic_auth: { user: user.username, password: personal_access_token.token },
+      basic_auth: { username: user.username, password: personal_access_token.token },
      body: { package: file }
    )
  end

--- a/spec/rubocop/cop/rspec/htt_party_basic_auth_spec.rb
+++ b/spec/rubocop/cop/rspec/htt_party_basic_auth_spec.rb
+# frozen_string_literal: true
+
+require 'fast_spec_helper'
+
+require_relative '../../../../rubocop/cop/rspec/httparty_basic_auth'
+
+RSpec.describe RuboCop::Cop::RSpec::HTTPartyBasicAuth, type: :rubocop do
+  include CopHelper
+
+  subject(:cop) { described_class.new }
+
+  context 'when passing `basic_auth: { user: ... }`' do
+    it 'registers an offence' do
+      expect_offense(<<~SOURCE, 'spec/foo.rb')
+        HTTParty.put(
+          url,
+          basic_auth: { user: user, password: token },
+                        ^^^^ #{described_class::MESSAGE}
+          body: body
+        )
+      SOURCE
+    end
+
+    it 'can autocorrect the source' do
+      bad  = 'HTTParty.put(url, basic_auth: { user: user, password: token })'
+      good = 'HTTParty.put(url, basic_auth: { username: user, password: token })'
+      expect(autocorrect_source(bad)).to eq(good)
+    end
+  end
+
+  context 'when passing `basic_auth: { username: ... }`' do
+    it 'does not register an offence' do
+      expect_no_offenses(<<~SOURCE, 'spec/frontend/fixtures/foo.rb')
+        HTTParty.put(
+          url,
+          basic_auth: { username: user, password: token },
+          body: body
+        )
+      SOURCE
+    end
+  end
+end