Contents

# frozen_string_literal: true

module RuboCop
  module Cop
    module GitlabSecurity
      # Check for use of redirect_to(params.update())
      #
      # Passing user params to the redirect_to method provides an open redirect
      #
      # @example
      #
      #   # bad
      #   redirect_to(params.update(action: 'main'))
      #
      #   # good
      #   redirect_to(allowed(params))
      #
      class RedirectToParamsUpdate < RuboCop::Cop::Base
        MSG = 'Avoid using `redirect_to(params.%<name>s(...))`. ' \
          'Only pass allowed arguments into redirect_to() (e.g. not including `host`)'

        # @!method redirect_to_params_update_node(node)
        def_node_matcher :redirect_to_params_update_node, <<-PATTERN
           (send nil? :redirect_to $(send (send nil? :params) ${:update :merge} ...))
        PATTERN

        def on_send(node)
          selected, name = redirect_to_params_update_node(node)
          return unless name

          message = format(MSG, name: name)

          add_offense(selected, message: message)
        end
      end
    end
  end
end

Version data entries

2 entries across 2 versions & 1 rubygems

Version	Path
gitlab-styles-13.0.1	lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb
gitlab-styles-13.0.0	lib/rubocop/cop/gitlab_security/redirect_to_params_update.rb