123456789_123456789_123456789_123456789_123456789_

Class: RuboCop::Cop::Bundler::InsecureProtocolSource

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, ::RuboCop::Cop::AutoCorrector, ::RuboCop::Cop::Base, ::RuboCop::ExcludeLimit, NodePattern::Macros, RuboCop::AST::Sexp
Instance Chain:
Inherits: RuboCop::Cop::Base
Defined in: lib/rubocop/cop/bundler/insecure_protocol_source.rb

Overview

Passing symbol arguments to source (e.g. source :rubygems) is deprecated because they default to using HTTP requests. Instead, specify 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.

When autocorrecting, this cop will replace symbol arguments with 'https://rubygems.org'.

This cop will not replace existing sources that use http://. This may be necessary where HTTPS is not available. For example, where using an internal gem server via an intranet, or where HTTPS is prohibited. However, you should strongly prefer https:// where possible, as it is more secure.

If you don’t allow http://, please set false to AllowHttpProtocol. This option is true by default for safe autocorrection.

Examples:

# bad
source :gemcutter
source :rubygems
source :rubyforge

# good
source 'https://rubygems.org' # strongly recommended

AllowHttpProtocol: true (default)

# good
source 'http://rubygems.org' # use only if HTTPS is unavailable

AllowHttpProtocol: false

# bad
source 'http://rubygems.org'

Constant Summary

::RuboCop::Cop::Base - Inherited

EMPTY_OFFENSES, RESTRICT_ON_SEND

Class Attribute Summary

::RuboCop::Cop::AutoCorrector - Extended

::RuboCop::Cop::Base - Inherited

.gem_requirements, .lint?,
.support_autocorrect?

Returns if class supports autocorrect.

.support_multiple_source?

Override if your cop should be called repeatedly for multiple investigations Between calls to on_new_investigation and on_investigation_end, the result of processed_source will remain constant.

Class Method Summary

::RuboCop::Cop::Base - Inherited

.autocorrect_incompatible_with

List of cops that should not try to autocorrect at the same time as this cop.

.badge

Naming.

.callbacks_needed, .cop_name, .department,
.documentation_url

Returns a url to view this cops documentation online.

.exclude_from_registry

Call for abstract Cop classes.

.inherited,
.joining_forces

Override and return the Force class(es) you need to join.

.match?

Returns true if the cop name or the cop namespace matches any of the given names.

.new,
.requires_gem

Register a version requirement for the given gem name.

.restrict_on_send

::RuboCop::ExcludeLimit - Extended

exclude_limit

Sets up a configuration option to have an exclude limit tracked.

transform

Instance Attribute Summary

Instance Method Summary

::RuboCop::Cop::Base - Inherited

#add_global_offense

Adds an offense that has no particular location.

#add_offense

Adds an offense on the specified range (or node with an expression) Unless that offense is disabled for this range, a corrector will be yielded to provide the cop the opportunity to autocorrect the offense.

#begin_investigation

Called before any investigation.

#callbacks_needed,
#cop_config

Configuration Helpers.

#cop_name, #excluded_file?,
#external_dependency_checksum

This method should be overridden when a cop’s behavior depends on state that lives outside of these locations:

#inspect,
#message

Gets called if no message is specified when calling add_offense or add_global_offense Cops are discouraged to override this; instead pass your message directly.

#name
#offenses,
#on_investigation_end

Called after all on_…​

#on_new_investigation

Called before all on_…​

#on_other_file

Called instead of all on_…​

#parse

There should be very limited reasons for a Cop to do it’s own parsing.

#parser_engine,
#ready

Called between investigations.

#relevant_file?,
#target_gem_version

Returns a gems locked versions (i.e.

#target_rails_version, #target_ruby_version, #annotate, #apply_correction, #attempt_correction,
#callback_argument

Reserved for Cop::Cop.

#complete_investigation

Called to complete an investigation.

#correct, #current_corrector,
#current_offense_locations

Reserved for Commissioner:

#current_offenses, #currently_disabled_lines, #custom_severity, #default_severity, #disable_uncorrectable, #enabled_line?, #file_name_matches_any?, #find_message, #find_severity, #range_for_original, #range_from_node_or_range,
#reset_investigation

Actually private methods.

#use_corrector

::RuboCop::Cop::AutocorrectLogic - Included

::RuboCop::Cop::IgnoredNode - Included

Constructor Details

This class inherits a constructor from RuboCop::Cop::Base

Instance Attribute Details

#allow_http_protocol?Boolean (readonly, private)

[ GitHub ]

  
# File 'lib/rubocop/cop/bundler/insecure_protocol_source.rb', line 79

def allow_http_protocol?
  cop_config.fetch('AllowHttpProtocol', true)
end

Instance Method Details

#insecure_protocol_source?(node)

[ GitHub ]

  
# File 'lib/rubocop/cop/bundler/insecure_protocol_source.rb', line 53

def_node_matcher :insecure_protocol_source?, <<~PATTERN
  (send nil? :source
    ${(sym :gemcutter) (sym :rubygems) (sym :rubyforge) (:str "http://rubygems.org")})
PATTERN

#on_send(node)

[ GitHub ]

  
# File 'lib/rubocop/cop/bundler/insecure_protocol_source.rb', line 58

def on_send(node)
  insecure_protocol_source?(node) do |source_node|
    source = source_node.value
    use_http_protocol = source == 'http://rubygems.org'

    return if allow_http_protocol? && use_http_protocol

    message = if use_http_protocol
                MSG_HTTP_PROTOCOL
              else
                format(MSG, source: source)
              end

    add_offense(source_node, message: message) do |corrector|
      corrector.replace(source_node, "'https://rubygems.org'")
    end
  end
end