Inspired by curl's blog post, [Detecting malicious Unicode][1], this likely captures most if not all cases and nudges the user toward supplying IDNs with punycode.
A possible improvement would be telling the user exactly what punycode domain to use instead, but that may require another library as I can't quickly find something built into the Ruby stdlib that handles punycode encoding.
[1]: https://daniel.haxx.se/blog/2025/05/16/detecting-malicious-unicode/
Co-authored-by: Štefan Baebler <319826+stefanb@users.noreply.github.com>
- Fixing the test expected output was unbelievably tedious.
- There's been debate about this setting being `false` but in
https://github.com/Homebrew/brew/pull/15136#issuecomment-1500063225
we decided that it was worth using the default since RuboCop behaviour changed
so we'd have had to do some horrible things to keep it as `false` -
https://github.com/Homebrew/brew/pull/15136#issuecomment-1500037278 -
and multiple maintainers specify the `--display-cop-names` option to
`brew style` themselves since it's clearer what's gone wrong.
- Migrate the existing binary URL audit to a RuboCop.
- Check resources as well as main URLs
- Also check for "macos" and "osx" in URLs
- Add whitelists for URLs and formulae
