Class: RuboCop::Cop::GitlabSecurity::SendFileParams

Inherits:

Base

• Object
• Base
• RuboCop::Cop::GitlabSecurity::SendFileParams

Defined in:

lib/rubocop/cop/gitlab_security/send_file_params.rb

Overview

basename = File.expand_path(“/tmp/myproj”)

filename = File.expand_path(File.join(basename, @file.public_filename))
raise if basename != filename
send_file filename, disposition: 'inline'

Constant Summary

MSG =

'Do not pass user provided params directly to send_file(), ' \
'verify the path with file.expand_path() first.'

Instance Method Summary

• #on_send(node) ⇒ Object
• #params_node?(node) ⇒ Object

Instance Method Details

#on_send(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/send_file_params.rb', line 31

def on_send(node)
  return unless node.command?(:send_file)
  return unless node.arguments.any? { |e| params_node?(e) }

  add_offense(node.loc.selector)
end

#params_node?(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/send_file_params.rb', line 27

def_node_search :params_node?, <<-PATTERN
   (send (send nil? :params) ... )
PATTERN