1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
require 'spec_helper'
require 'rubocop'
require 'rubocop/rspec/support'
require_relative '../../../../rubocop/cop/security/to_json'
describe RuboCop::Cop::Security::ToJson do
include CopHelper
subject(:cop) { described_class.new }
it 'ignores calls except `to_json`' do
inspect_source(cop, 'render json: foo')
expect(cop.offenses).to be_empty
end
context 'to_json with options' do
it 'does nothing when provided `only`' do
inspect_source(cop, <<~EOS)
render json: @issue.to_json(only: [:name, :username])
EOS
expect(cop.offenses).to be_empty
end
it 'does nothing when provided `only` and `methods`' do
inspect_source(cop, <<~EOS)
render json: @issue.to_json(
only: [:name, :username],
methods: [:avatar_url]
)
EOS
expect(cop.offenses).to be_empty
end
it 'adds an offense to `include`d attributes without `only` option' do
inspect_source(cop, <<~EOS)
render json: @issue.to_json(
include: {
milestone: {},
assignee: { methods: :avatar_url },
author: { only: %i[foo bar] },
}
)
EOS
aggregate_failures do
expect(cop.offenses.size).to eq(2)
expect(cop.highlights).to contain_exactly(
'milestone: {}',
'assignee: { methods: :avatar_url }'
)
end
end
it 'handles a top-level `only` with child `include`s' do
inspect_source(cop, <<~EOS)
render json: @issue.to_json(
only: [:foo, :bar],
include: {
assignee: { methods: :avatar_url },
author: { only: %i[foo bar] }
}
)
EOS
aggregate_failures do
expect(cop.offenses.size).to eq(1)
expect(cop.highlights)
.to contain_exactly('assignee: { methods: :avatar_url }')
end
end
it 'adds an offense for `include: [...]`' do
inspect_source(cop, <<~EOS)
render json: @issue.to_json(include: %i[foo bar baz])
EOS
aggregate_failures do
expect(cop.offenses.size).to eq(1)
expect(cop.highlights).to contain_exactly('include: %i[foo bar baz]')
end
end
it 'adds an offense for `except`' do
inspect_source(cop, <<~EOS)
render json: @issue.to_json(except: [:private_token])
EOS
aggregate_failures do
expect(cop.offenses.size).to eq(1)
expect(cop.highlights).to contain_exactly('except: [:private_token]')
end
end
end
context 'to_json without options' do
it 'does nothing when called with nil receiver' do
inspect_source(cop, 'to_json')
expect(cop.offenses).to be_empty
end
it 'does nothing when called directly on a Hash' do
inspect_source(cop, '{}.to_json')
expect(cop.offenses).to be_empty
end
it 'adds an offense when called on variable' do
inspect_source(cop, 'foo.to_json')
aggregate_failures do
expect(cop.offenses.size).to eq(1)
expect(cop.highlights).to contain_exactly('foo.to_json')
end
end
end
end
|
