Add new Bundler/InsecureProtocolSource cop (#4720)

CHANGELOG.md

@@ -29,6 +29,7 @@
 * [#4696](https://github.com/bbatsov/rubocop/pull/4696): Add new `Performance/UriDefaultParser` cop. ([@koic][])
 * [#4694](https://github.com/bbatsov/rubocop/pull/4694): Add new `Lint/UriRegexp` cop. ([@koic][])
 * Add new `Style/MinMax` cop. ([@drenmi][])
+* [#4720](https://github.com/bbatsov/rubocop/pull/4720): Add new `Bundler/InsecureProtocolSource` cop. ([@koic][])
 
 ### Bug fixes
 

config/enabled.yml

@@ -1832,6 +1832,16 @@ Bundler/DuplicatedGem:
     - '**/Gemfile'
     - '**/gems.rb'
 
+Bundler/InsecureProtocolSource:
+  Description: >-
+                 The source `:gemcutter`, `:rubygems` and `:rubyforge` are deprecated
+                 because HTTP requests are insecure. Please change your source to
+                 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
+  Enabled: true
+  Include:
+    - '**/Gemfile'
+    - '**/gems.rb'
+
 Bundler/OrderedGems:
   Description: >-
                  Gems within groups in the Gemfile should be alphabetically sorted.

lib/rubocop.rb

@@ -136,6 +136,7 @@
 require 'rubocop/cop/mixin/unused_argument'
 
 require 'rubocop/cop/bundler/duplicated_gem'
+require 'rubocop/cop/bundler/insecure_protocol_source'
 require 'rubocop/cop/bundler/ordered_gems'
 
 require 'rubocop/cop/layout/access_modifier_indentation'

lib/rubocop/cop/bundler/insecure_protocol_source.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Bundler
+      # The symbol argument `:gemcutter`, `:rubygems` and `:rubyforge`
+      # are deprecated. So please change your source to URL string that
+      # 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
+      #
+      # This autocorrect will replace these symbols with 'https://rubygems.org'.
+      # Because it is secure, HTTPS request is strongly recommended. And in
+      # most use cases HTTPS will be fine.
+      #
+      # However, it don't replace all `sources` of `http://` with `https://`.
+      # For example, when specifying an internal gem server using HTTP on the
+      # intranet, a use case where HTTPS can not be specified was considered.
+      # Consider using HTTP only if you can not use HTTPS.
+      #
+      # @example
+      #   # bad
+      #   source :gemcutter
+      #   source :rubygems
+      #   source :rubyforge
+      #
+      #   # good
+      #   source 'https://rubygems.org' # strongly recommended
+      #   source 'http://rubygems.org'
+      class InsecureProtocolSource < Cop
+        MSG = 'The source `:%s` is deprecated because HTTP requests are ' \
+              "insecure. Please change your source to 'https://rubygems.org' " \
+              "if possible, or 'http://rubygems.org' if not.".freeze
+
+        def_node_matcher :insecure_protocol_source?, <<-PATTERN
+          (send nil :source
+            (sym ${:gemcutter :rubygems :rubyforge}))
+        PATTERN
+
+        def on_send(node)
+          insecure_protocol_source?(node) do |source|
+            message = format(MSG, source)
+
+            add_offense(
+              node, source_range(node.first_argument.loc.expression), message
+            )
+          end
+        end
+
+        def autocorrect(node)
+          lambda do |corrector|
+            corrector.replace(
+              node.first_argument.loc.expression, "'https://rubygems.org'"
+            )
+          end
+        end
+
+        private
+
+        def source_range(node)
+          range_between(node.begin_pos, node.end_pos)
+        end
+      end
+    end
+  end
+end

manual/cops.md

@@ -89,6 +89,7 @@ In the following section you find all available cops:
 #### Department [Bundler](cops_bundler.md)
 
 * [Bundler/DuplicatedGem](cops_bundler.md#bundlerduplicatedgem)
+* [Bundler/InsecureProtocolSource](cops_bundler.md#bundlerinsecureprotocolsource)
 * [Bundler/OrderedGems](cops_bundler.md#bundlerorderedgems)
 
 #### Department [Layout](cops_layout.md)

manual/cops_bundler.md

@@ -39,6 +39,44 @@ Attribute | Value
 --- | ---
 Include | \*\*/Gemfile, \*\*/gems.rb
 
+## Bundler/InsecureProtocolSource
+
+Enabled by default | Supports autocorrection
+--- | ---
+Enabled | Yes
+
+The symbol argument `:gemcutter`, `:rubygems` and `:rubyforge`
+are deprecated. So please change your source to URL string that
+'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
+
+This autocorrect will replace these symbols with 'https://rubygems.org'.
+Because it is secure, HTTPS request is strongly recommended. And in
+most use cases HTTPS will be fine.
+
+However, it don't replace all `sources` of `http://` with `https://`.
+For example, when specifying an internal gem server using HTTP on the
+intranet, a use case where HTTPS can not be specified was considered.
+Consider using HTTP only if you can not use HTTPS.
+
+### Example
+
+```ruby
+# bad
+source :gemcutter
+source :rubygems
+source :rubyforge
+
+# good
+source 'https://rubygems.org' # strongly recommended
+source 'http://rubygems.org'
+```
+
+### Important attributes
+
+Attribute | Value
+--- | ---
+Include | \*\*/Gemfile, \*\*/gems.rb
+
 ## Bundler/OrderedGems
 
 Enabled by default | Supports autocorrection

spec/rubocop/cop/bundler/insecure_protocol_source_spec.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+describe RuboCop::Cop::Bundler::InsecureProtocolSource do
+  let(:config) { RuboCop::Config.new }
+  subject(:cop) { described_class.new(config) }
+
+  it 'registers an offense when using `source :gemcutter`' do
+    expect_offense(<<-RUBY.strip_indent)
+      source :gemcutter
+             ^^^^^^^^^^ The source `:gemcutter` is deprecated because HTTP requests are insecure. Please change your source to 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
+    RUBY
+  end
+
+  it 'registers an offense when using `source :rubygems`' do
+    expect_offense(<<-RUBY.strip_indent)
+      source :rubygems
+             ^^^^^^^^^ The source `:rubygems` is deprecated because HTTP requests are insecure. Please change your source to 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
+    RUBY
+  end
+
+  it 'registers an offense when using `source :rubyforge`' do
+    expect_offense(<<-RUBY.strip_indent)
+      source :rubyforge
+             ^^^^^^^^^^ The source `:rubyforge` is deprecated because HTTP requests are insecure. Please change your source to 'https://rubygems.org' if possible, or 'http://rubygems.org' if not.
+    RUBY
+  end
+
+  it 'autocorrects `source :gemcutter`' do
+    new_source = autocorrect_source('source :gemcutter')
+
+    expect(new_source).to eq "source 'https://rubygems.org'"
+  end
+
+  it 'autocorrects `source :rubygems`' do
+    new_source = autocorrect_source('source :rubygems')
+
+    expect(new_source).to eq "source 'https://rubygems.org'"
+  end
+
+  it 'autocorrects `source :rubyforge`' do
+    new_source = autocorrect_source('source :rubyforge')
+
+    expect(new_source).to eq "source 'https://rubygems.org'"
+  end
+end