Add new Bundler/InsecureProtocolSource cop

[koic]

Feature

This cop emulates a Bundler's deprecation warning.

% cat /tmp/Gemfile
# frozen_string_literal: true

source :rubygems

gem 'rubocop'

% be rubocop /tmp/Gemfile
Inspecting 1 file
C

Offenses:

/tmp/Gemfile:3:8: C: The source :rubygems is deprecated because HTTP requests are insecure. Please change your source to 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
source :rubygems
       ^^^^^^^^^

1 file inspected, 1 offense detected

Target Problem

This cop emulates Bundler's deprecation warning as below.

https://github.com/bundler/bundler/blob/v1.16.0.pre.2/lib/bundler/dsl.rb#L442-L446

This warning recommends using as secure a https protocol as possible. The argument (:gemcutter, :rubygems and :rubyforge) to replace the insecure http is deprecated.

Other Information

As shown in Bundler's warning, users who can not use https may want to replace them with http. However, in many cases I think that it will be replaced with https.

And, the default in Gemfile generated by famous generators like rails new and bundle init is already using source 'https://rubygems.org'.

Gemfile template of rails new.
https://github.com/rails/rails/blob/v5.1.4/railties/lib/rails/generators/rails/app/templates/Gemfile#L1

Gemfile template of bundle init.
https://github.com/bundler/bundler/blob/v1.16.0.pre.2/lib/bundler/templates/Gemfile#L3

Therefore, using autocorrect will replace with source 'https://rubygems.org'.

---

Before submitting the PR make sure the following are checked:

• Wrote good commit messages.
• Commit message starts with [Fix #issue-number] (if the related issue exists).
• Used the same coding conventions as the rest of the project.
• Feature branch is up-to-date with master (if not - rebase it).
• Squashed related commits together.
• Added tests.
• Added an entry to the Changelog if the new code introduces user-observable changes. See changelog entry format.
• All tests(rake spec) are passing.
• The new code doesn't generate RuboCop offenses that are checked by rake internal_investigation.
• The PR relates to only one subject with a clear title
  and description in grammatically correct, complete sentences.
• Updated cop documentation with rake generate_cops_documentation (required only when you've added a new cop or changed the configuration/documentation of an existing cop).

[Drenmi]

send nodes are decorated with node extensions that expose send_node.arguments, send_node.first_argument and send_node.last_argument. 🙂

[Drenmi]

You could also use captures in the node pattern to extract the parts you want, using $.

[koic]

Thanks for your advice. I updated with node extensions API and $. 5efbbe1

[bbatsov]

How is using http://rubygems.org better than using :rubygems?

[koic]

Yes. It is preferable to use source 'http://rubygems.org' instead of specifying a symbol such as source :rubygems.
Of course, the best thing is to use source 'https://rubygems.org'.

The following is an example of converting symbol into HTTP strings.

If source :rubygems is specified for Gemfile, remote: http://rubygems.org/ (HTTP) is output to Gemfile.lock.
This is the same when specified the string source 'http://rubygems.org'.

% cat Gemfile
# frozen_string_literal: true

source :rubygems

gem 'rubocop'

% head Gemfile.lock
GEM
  remote: http://rubygems.org/
  specs:
    ast (2.3.0)
    parallel (1.12.0)
    parser (2.4.0.0)
      ast (~> 2.2)
    powerpack (0.1.1)
    rainbow (2.2.2)
      rake

On the other hand, If source 'https://rubygems.org' is specified for Gemfile, remote: https://rubygems.org/ (HTTPS) is output to Gemfile.lock.

% cat Gemfile
# frozen_string_literal: true

source 'https://rubygems.org'

gem 'rubocop'

% head Gemfile.lock
GEM
  remote: https://rubygems.org/
  specs:
    ast (2.3.0)
    parallel (1.12.0)
    parser (2.4.0.0)
      ast (~> 2.2)
    powerpack (0.1.1)
    rainbow (2.2.2)
      rake

I'm sorry if I misunderstood the intention of question.

[bbatsov]

Seems to me this should be flagged as well. As should any source referred by a symbol or starting with http://.

[bbatsov]

I guess if we do this auto-correction will be limitted, but I think the cop would be more useful it were more generic.

[koic]

I see. I have reasons why I can not make a decision to replace all of source with http:// to https://. For example, when specifying an internal gem server using HTTP on the intranet, a use case where HTTPS can not be specified was considered. For this reason, this cop replaces only the special case rubygems.org with http:// to https://.
What do you think?

[bbatsov]

I'm fine with this if the class documentation explains all of this, so people wouldn't wonder why some sources are flagged and others are not.

[koic]

I updated the class documentation with 48676d6.

[bbatsov]

I guess that's good enough for now, but we can add to it some option to forbid completely http sources for people who want to do it.

[koic]

Thanks for the review. I will be noted about the option to forbid http source.