/
insecure_protocol_source.rb
69 lines (61 loc) · 2.13 KB
/
insecure_protocol_source.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# frozen_string_literal: true
module RuboCop
module Cop
module Bundler
# The symbol argument `:gemcutter`, `:rubygems`, and `:rubyforge`
# are deprecated. So please change your source to URL string that
# 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
#
# This autocorrect will replace these symbols with 'https://rubygems.org'.
# Because it is secure, HTTPS request is strongly recommended. And in
# most use cases HTTPS will be fine.
#
# However, it don't replace all `sources` of `http://` with `https://`.
# For example, when specifying an internal gem server using HTTP on the
# intranet, a use case where HTTPS cannot be specified was considered.
# Consider using HTTP only if you cannot use HTTPS.
#
# @example
# # bad
# source :gemcutter
# source :rubygems
# source :rubyforge
#
# # good
# source 'https://rubygems.org' # strongly recommended
# source 'http://rubygems.org'
class InsecureProtocolSource < Cop
include RangeHelp
MSG = 'The source `:%<source>s` is deprecated because HTTP requests ' \
'are insecure. ' \
"Please change your source to 'https://rubygems.org' " \
"if possible, or 'http://rubygems.org' if not."
def_node_matcher :insecure_protocol_source?, <<~PATTERN
(send nil? :source
(sym ${:gemcutter :rubygems :rubyforge}))
PATTERN
def on_send(node)
insecure_protocol_source?(node) do |source|
message = format(MSG, source: source)
add_offense(
node,
location: range(node.first_argument.loc.expression),
message: message
)
end
end
def autocorrect(node)
lambda do |corrector|
corrector.replace(
node.first_argument, "'https://rubygems.org'"
)
end
end
private
def range(node)
range_between(node.begin_pos, node.end_pos)
end
end
end
end
end