brew/Library/Homebrew/rubocops/zero_zero_zero_zero.rb

# typed: strict
# frozen_string_literal: true

require "rubocops/extend/formula_cop"

module RuboCop
  module Cop
    module FormulaAudit
      # This cop audits the use of 0.0.0.0 in formulae.
      # 0.0.0.0 should not be used outside of test do blocks as it can be a security risk.
      class ZeroZeroZeroZero < FormulaCop
        sig { override.params(formula_nodes: FormulaNodes).void }
        def audit_formula(formula_nodes)
          return if formula_tap != "homebrew-core"

          body_node = formula_nodes.body_node
          return if body_node.nil?

          test_block = find_block(body_node, :test)

          # Find all string literals in the formula
          body_node.each_descendant(:str) do |str_node|
            content = string_content(str_node)
            next unless content.include?("0.0.0.0")
            next if test_block && str_node.ancestors.any?(test_block)

            next if valid_ip_range?(content)

            offending_node(str_node)
            problem "Do not use 0.0.0.0 as it can be a security risk."
          end
        end

        private

        sig { params(content: String).returns(T::Boolean) }
        def valid_ip_range?(content)
          # Allow private IP ranges like 10.0.0.0, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255
          return true if content.match?(/\b(?:10|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.\d+\.\d+\b/)
          # Allow IP range notation like 0.0.0.0-255.255.255.255
          return true if content.match?(/\b0\.0\.0\.0\s*-\s*255\.255\.255\.255\b/)

          false
        end
      end
    end
  end
end
Add ZeroZeroZeroZero cop Add a new RuboCop to detect the use of 0.0.0.0 in formulae which indicates binding to all network interfaces, internally or externally, so is a bad default and potentially a security risk. Co-authored-by: Issy Long <me@issylong.com> 2025-07-10 17:41:12 +01:00			`# typed: strict`
			`# frozen_string_literal: true`

			`require "rubocops/extend/formula_cop"`

			`module RuboCop`
			`module Cop`
			`module FormulaAudit`
			`# This cop audits the use of 0.0.0.0 in formulae.`
			`# 0.0.0.0 should not be used outside of test do blocks as it can be a security risk.`
			`class ZeroZeroZeroZero < FormulaCop`
			`sig { override.params(formula_nodes: FormulaNodes).void }`
			`def audit_formula(formula_nodes)`
			`return if formula_tap != "homebrew-core"`

			`body_node = formula_nodes.body_node`
			`return if body_node.nil?`

			`test_block = find_block(body_node, :test)`

			`# Find all string literals in the formula`
			`body_node.each_descendant(:str) do \|str_node\|`
			`content = string_content(str_node)`
			`next unless content.include?("0.0.0.0")`
			`next if test_block && str_node.ancestors.any?(test_block)`

			`next if valid_ip_range?(content)`

			`offending_node(str_node)`
			`problem "Do not use 0.0.0.0 as it can be a security risk."`
			`end`
			`end`

			`private`

			`sig { params(content: String).returns(T::Boolean) }`
			`def valid_ip_range?(content)`
			`# Allow private IP ranges like 10.0.0.0, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255`
			`return true if content.match?(/\b(?:10\|172\.(?:1[6-9]\|2[0-9]\|3[01])\|192\.168)\.\d+\.\d+\b/)`
			`# Allow IP range notation like 0.0.0.0-255.255.255.255`
			`return true if content.match?(/\b0\.0\.0\.0\s-\s255\.255\.255\.255\b/)`

			`false`
			`end`
			`end`
			`end`
			`end`
			`end`