brew/Library/Homebrew/test/rubocops/io_read_spec.rb

# frozen_string_literal: true

require "rubocops/io_read"

RSpec.describe RuboCop::Cop::Homebrew::IORead do
  subject(:cop) { described_class.new }

  it "reports an offense when `IO.read` is used with a pipe character" do
    expect_offense(<<~RUBY)
      IO.read("|echo test")
      ^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
    RUBY
  end

  it "does not report an offense when `IO.read` is used without a pipe character" do
    expect_no_offenses(<<~RUBY)
      IO.read("file.txt")
    RUBY
  end

  it "reports an offense when `IO.read` is used with untrustworthy input" do
    expect_offense(<<~RUBY)
      input = "input value from an unknown source"
      IO.read(input)
      ^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
    RUBY
  end

  it "reports an offense when `IO.read` is used with a dynamic string starting with a pipe character" do
    expect_offense(<<~'RUBY')
      input = "test"
      IO.read("|echo #{input}")
      ^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
    RUBY
  end

  it "reports an offense when `IO.read` is used with a dynamic string at the start" do
    expect_offense(<<~'RUBY')
      input = "|echo test"
      IO.read("#{input}.txt")
      ^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
    RUBY
  end

  it "does not report an offense when `IO.read` is used with a dynamic string safely" do
    expect_no_offenses(<<~'RUBY')
      input = "test"
      IO.read("somefile#{input}.txt")
    RUBY
  end

  it "reports an offense when `IO.read` is used with a concatenated string starting with a pipe character" do
    expect_offense(<<~RUBY)
      input = "|echo test"
      IO.read("|echo " + input)
      ^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
    RUBY
  end

  it "reports an offense when `IO.read` is used with a concatenated string starting with untrustworthy input" do
    expect_offense(<<~RUBY)
      input = "|echo test"
      IO.read(input + ".txt")
      ^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
    RUBY
  end

  it "does not report an offense when `IO.read` is used with a concatenated string safely" do
    expect_no_offenses(<<~RUBY)
      input = "test"
      IO.read("somefile" + input + ".txt")
    RUBY
  end
end
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`# frozen_string_literal: true`

			`require "rubocops/io_read"`

git grep -l '^describe' \| xargs gsed -i 's\|^describe\|RSpec.describe\|g' 2024-02-18 15:11:11 -08:00			`RSpec.describe RuboCop::Cop::Homebrew::IORead do`
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`subject(:cop) { described_class.new }`

			it "reports an offense when `IO.read` is used with a pipe character" do
			`expect_offense(<<~RUBY)`
			`IO.read("\|echo test")`
Say yes to RuboCop's `DisplayCopNames`; fix test expectations - Fixing the test expected output was unbelievably tedious. - There's been debate about this setting being `false` but in https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225 we decided that it was worth using the default since RuboCop behaviour changed so we'd have had to do some horrible things to keep it as `false` - https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 - and multiple maintainers specify the `--display-cop-names` option to `brew style` themselves since it's clearer what's gone wrong. 2023-04-07 17:16:48 +01:00			^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`RUBY`
			`end`

			it "does not report an offense when `IO.read` is used without a pipe character" do
			`expect_no_offenses(<<~RUBY)`
			`IO.read("file.txt")`
			`RUBY`
			`end`

			it "reports an offense when `IO.read` is used with untrustworthy input" do
			`expect_offense(<<~RUBY)`
			`input = "input value from an unknown source"`
			`IO.read(input)`
Say yes to RuboCop's `DisplayCopNames`; fix test expectations - Fixing the test expected output was unbelievably tedious. - There's been debate about this setting being `false` but in https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225 we decided that it was worth using the default since RuboCop behaviour changed so we'd have had to do some horrible things to keep it as `false` - https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 - and multiple maintainers specify the `--display-cop-names` option to `brew style` themselves since it's clearer what's gone wrong. 2023-04-07 17:16:48 +01:00			^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`RUBY`
			`end`

			it "reports an offense when `IO.read` is used with a dynamic string starting with a pipe character" do
			`expect_offense(<<~'RUBY')`
			`input = "test"`
			`IO.read("\|echo #{input}")`
Say yes to RuboCop's `DisplayCopNames`; fix test expectations - Fixing the test expected output was unbelievably tedious. - There's been debate about this setting being `false` but in https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225 we decided that it was worth using the default since RuboCop behaviour changed so we'd have had to do some horrible things to keep it as `false` - https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 - and multiple maintainers specify the `--display-cop-names` option to `brew style` themselves since it's clearer what's gone wrong. 2023-04-07 17:16:48 +01:00			^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`RUBY`
			`end`

			it "reports an offense when `IO.read` is used with a dynamic string at the start" do
			`expect_offense(<<~'RUBY')`
			`input = "\|echo test"`
			`IO.read("#{input}.txt")`
Say yes to RuboCop's `DisplayCopNames`; fix test expectations - Fixing the test expected output was unbelievably tedious. - There's been debate about this setting being `false` but in https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225 we decided that it was worth using the default since RuboCop behaviour changed so we'd have had to do some horrible things to keep it as `false` - https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 - and multiple maintainers specify the `--display-cop-names` option to `brew style` themselves since it's clearer what's gone wrong. 2023-04-07 17:16:48 +01:00			^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`RUBY`
			`end`

			it "does not report an offense when `IO.read` is used with a dynamic string safely" do
			`expect_no_offenses(<<~'RUBY')`
			`input = "test"`
			`IO.read("somefile#{input}.txt")`
			`RUBY`
			`end`

			it "reports an offense when `IO.read` is used with a concatenated string starting with a pipe character" do
brew style --fix 2023-02-10 08:59:51 +00:00			`expect_offense(<<~RUBY)`
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`input = "\|echo test"`
			`IO.read("\|echo " + input)`
Say yes to RuboCop's `DisplayCopNames`; fix test expectations - Fixing the test expected output was unbelievably tedious. - There's been debate about this setting being `false` but in https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225 we decided that it was worth using the default since RuboCop behaviour changed so we'd have had to do some horrible things to keep it as `false` - https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 - and multiple maintainers specify the `--display-cop-names` option to `brew style` themselves since it's clearer what's gone wrong. 2023-04-07 17:16:48 +01:00			^^^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`RUBY`
			`end`

			it "reports an offense when `IO.read` is used with a concatenated string starting with untrustworthy input" do
brew style --fix 2023-02-10 08:59:51 +00:00			`expect_offense(<<~RUBY)`
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`input = "\|echo test"`
			`IO.read(input + ".txt")`
Say yes to RuboCop's `DisplayCopNames`; fix test expectations - Fixing the test expected output was unbelievably tedious. - There's been debate about this setting being `false` but in https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225 we decided that it was worth using the default since RuboCop behaviour changed so we'd have had to do some horrible things to keep it as `false` - https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 - and multiple maintainers specify the `--display-cop-names` option to `brew style` themselves since it's clearer what's gone wrong. 2023-04-07 17:16:48 +01:00			^^^^^^^^^^^^^^^^^^^^^^^ Homebrew/IORead: The use of `IO.read` is a security risk.
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`RUBY`
			`end`

			it "does not report an offense when `IO.read` is used with a concatenated string safely" do
brew style --fix 2023-02-10 08:59:51 +00:00			`expect_no_offenses(<<~RUBY)`
Add cop for IO.read usage 2021-04-14 16:08:37 +01:00			`input = "test"`
			`IO.read("somefile" + input + ".txt")`
			`RUBY`
			`end`
			`end`