Many people in the Ruby community have heard of Rubocop, and likely have some sort of love/hate relationship with it. If you haven't heard of this often polarizing gem, here is the gist of what it does straight from the Rubocop docs.
RuboCop is a Ruby static code analyzer (a.k.a. linter) and code formatter. Out of the box it will enforce many of the guidelines outlined in the community Ruby Style Guide.
However, Rubocop is not just for enforcing style guidelines. Did you know you can use Rubocop to enforce security best practices?!
YEP! That's right! Rubocop has a built in set of Security Cops that can help you write more secure Ruby and Rails code. The cops are:
- Security/Eval- The use of eval represents a serious security risk.
-
Security/JSONLoad - Prefer usage of
JSON.parseoverJSON.loaddue to potential security issues. See ruby docs for more information. -
Security/MarshalLoad - Avoid using of
Marshal.loadorMarshal.restoredue to potential security issues. See ruby docs for more information. - Security/Open - The use of Kernel#open represents a serious security risk.
-
Security/YAMLLoad - Prefer usage of
YAML.safe_loadoverYAML.loaddue to potential security issues. See ruby docs for more information.
In addition to the security cops, there are also a couple of other cops that can improve your code security.
-
Rails/OutputSafety - The use of
html_safeorrawmay be a security risk. Often using these can lead to a cross site scripting vulnerability. - Style/MutableConstant - Do not assign mutable objects to constants. The security implications of this might be less obvious. For example, if you accidentally update a constant with say user data , and then that constant gets used for another user, suddenly you have a data leak. For this reason, it's best to ensure constants are always immutable.
How to Enable ONLY the Security Cops
If you want to use Rubocop just for the security cops, and not those pesky style cops π, here is how you would set it up. First, you need to install the gem.
gem install rubocop
Or if you are using a Gemfile...
gem 'rubocop', require: false
Once the gem is installed you will want to configure it with a rubocop.yml file in your home directory. To just enable the security focused cops your yaml file should look like this π
AllCops:
DisabledByDefault: true
Rails/OutputSafety:
Enabled: true
Security:
Enabled: true
Style/MutableConstant:
Enabled: true
Then all you have to do is run it!
$ rubocop
For more tips on basic usage checkout the rubocop docs.
Happy Coding! π
Top comments (4)
Rubocop is a truly cool tool. I don't know of anything similar (beyond syntax checking) in Python.
"Fun fact": I recently got a PR merged about
Security/Openon dev.to's repo: github.com/thepracticaldev/dev.to/...There is was in Python a long time ago.
Mypy is for the checking (optionally) statically typed code in Python. (It's official)
Typing is the stdlib for adding data types like List, Tuple, Unions etc. to check with mypy.
Pytype is young, but nice. It can recognize the data types without inferences and check it like in mypy.
Thanks Muhammed, mypy is interesting, rubocop though is not about type checking.
It checks the code against a style guide, for things like syntax, layout, rails specific rules, performance and security tips and so on. Being a plugin system it can do a lot (and in some cases does too much :D)
The most similar tool I can think of is flake8 with its extensions.
Ah, I haven't readed the post correctly, thanks. But flake8 is still so good.