Commit f0630090 authored by Rémy Coutable's avatar Rémy Coutable

Merge branch '47986-rubocop-safe-params' into 'master'

Add cop prohibiting params argument in url_for

Closes #47986

See merge request gitlab-org/gitlab-ce!23115
parents 0e182280 186b2143
# frozen_string_literal: true
module RuboCop
module Cop
class SafeParams < RuboCop::Cop::Cop
MSG = 'Use `safe_params` instead of `params` in url_for.'.freeze
METHOD_NAME_PATTERN = :url_for
UNSAFE_PARAM = :params
def on_send(node)
return unless method_name(node) == METHOD_NAME_PATTERN
add_offense(node, location: :expression) unless safe_params?(node)
end
private
def safe_params?(node)
node.descendants.each do |param_node|
next unless param_node.descendants.empty?
return false if method_name(param_node) == UNSAFE_PARAM
end
true
end
def method_name(node)
node.children[1]
end
end
end
end
......@@ -5,6 +5,7 @@ require_relative 'cop/gitlab/httparty'
require_relative 'cop/gitlab/finder_with_find_by'
require_relative 'cop/gitlab/union'
require_relative 'cop/include_sidekiq_worker'
require_relative 'cop/safe_params'
require_relative 'cop/avoid_return_from_blocks'
require_relative 'cop/avoid_break_from_strong_memoize'
require_relative 'cop/avoid_route_redirect_leading_slash'
......
# frozen_string_literal: true
require 'spec_helper'
require 'rubocop'
require 'rubocop/rspec/support'
require_relative '../../../rubocop/cop/safe_params'
describe RuboCop::Cop::SafeParams do
include CopHelper
subject(:cop) { described_class.new }
it 'flags the params as an argument of url_for' do
expect_offense(<<~SOURCE)
url_for(params)
^^^^^^^^^^^^^^^ Use `safe_params` instead of `params` in url_for.
SOURCE
end
it 'flags the merged params as an argument of url_for' do
expect_offense(<<~SOURCE)
url_for(params.merge(additional_params))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Use `safe_params` instead of `params` in url_for.
SOURCE
end
it 'flags the merged params arg as an argument of url_for' do
expect_offense(<<~SOURCE)
url_for(something.merge(additional).merge(params))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Use `safe_params` instead of `params` in url_for.
SOURCE
end
it 'does not flag other argument of url_for' do
expect_no_offenses(<<~SOURCE)
url_for(something)
SOURCE
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment