From 7da8664f637543a8dc77d5c96fbcca6ccfc01531 Mon Sep 17 00:00:00 2001
From: Tim Smith <tsmith84@gmail.com>
Date: Mon, 15 Jul 2019 22:51:27 -0700
Subject: [PATCH 1/3] Add an autocorrect for insecure gitlab/github
 source/issue url metadata

These represent almost all of the community cookbook and this makes sure folks are using secure URLs

Signed-off-by: Tim Smith <tsmith@chef.io>
---
 config/cookstyle.yml                          |  4 ++
 lib/rubocop/cop/chef/insecure_cookbook_url.rb | 60 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 lib/rubocop/cop/chef/insecure_cookbook_url.rb

diff --git a/config/cookstyle.yml b/config/cookstyle.yml
index 99f0d0939..713526785 100644
--- a/config/cookstyle.yml
+++ b/config/cookstyle.yml
@@ -61,6 +61,10 @@ Chef/LegacyBerksfileSource:
   Description: Do not use legacy Berkfile community sources. Use Chef Supermarket instead.
   Enabled: true
 
+Chef/InsecureCookbookURL:
+  Description: Insecure http Github or Gitlab URLs for metadata source_url/issues_url fields
+  Enabled: true
+
 #### The base rubocop 0.37 enabled.yml file we started with ####
 
 Layout/AccessModifierIndentation:
diff --git a/lib/rubocop/cop/chef/insecure_cookbook_url.rb b/lib/rubocop/cop/chef/insecure_cookbook_url.rb
new file mode 100644
index 000000000..e5203a5d3
--- /dev/null
+++ b/lib/rubocop/cop/chef/insecure_cookbook_url.rb
@@ -0,0 +1,60 @@
+#
+# Copyright:: Copyright 2019, Chef Software Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+module RuboCop
+  module Cop
+    module Chef
+      # Use secure Github and Gitlab URLs for source_url and issues_url
+      #
+      # @example
+      #
+      #   # bad
+      #   source_url 'http://github.com/something/something'
+      #   source_url 'http://www.github.com/something/something'
+      #   source_url 'http://www.gitlab.com/something/something'
+      #   source_url 'http://gitlab.com/something/something'
+      #
+      #   # good
+
+
+      #   source 'https://supermarket.chef.io'
+      #
+      class InsecureCookbookURL < Cop
+        MSG = 'Insecure http Github or Gitlab URLs for metadata source_url/issues_url fields'.freeze
+
+        def_node_matcher :insecure_cb_url?, <<-PATTERN
+          (send nil? {:source_url :issues_url} (str #insecure_url?))
+        PATTERN
+
+        def insecure_url?(url)
+          # https://rubular.com/r/dS6L6bQZvwWxWq
+          url.match?(/http:\/\/(www.)*git(hub|lab)/)
+        end
+
+        def on_send(node)
+          insecure_cb_url?(node) do
+            add_offense(node, location: :expression, message: MSG, severity: :warning)
+          end
+        end
+
+        def autocorrect(node)
+          lambda do |corrector|
+            corrector.replace(node.loc.expression, node.source.gsub(/http:\/\/(www.)*/,'https://'))
+          end
+        end
+      end
+    end
+  end
+end

From d68d94d61694d5a4ca5d43e118fa474e5c0b0baa Mon Sep 17 00:00:00 2001
From: Tim Smith <tsmith84@gmail.com>
Date: Mon, 15 Jul 2019 22:52:30 -0700
Subject: [PATCH 2/3] Cookstyle fixes

Signed-off-by: Tim Smith <tsmith@chef.io>
---
 lib/rubocop/cop/chef/insecure_cookbook_url.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/rubocop/cop/chef/insecure_cookbook_url.rb b/lib/rubocop/cop/chef/insecure_cookbook_url.rb
index e5203a5d3..0a714e99e 100644
--- a/lib/rubocop/cop/chef/insecure_cookbook_url.rb
+++ b/lib/rubocop/cop/chef/insecure_cookbook_url.rb
@@ -28,7 +28,6 @@ module Chef
       #
       #   # good
 
-
       #   source 'https://supermarket.chef.io'
       #
       class InsecureCookbookURL < Cop
@@ -40,7 +39,7 @@ class InsecureCookbookURL < Cop
 
         def insecure_url?(url)
           # https://rubular.com/r/dS6L6bQZvwWxWq
-          url.match?(/http:\/\/(www.)*git(hub|lab)/)
+          url.match?(%r{http://(www.)*git(hub|lab)})
         end
 
         def on_send(node)
@@ -51,7 +50,7 @@ def on_send(node)
 
         def autocorrect(node)
           lambda do |corrector|
-            corrector.replace(node.loc.expression, node.source.gsub(/http:\/\/(www.)*/,'https://'))
+            corrector.replace(node.loc.expression, node.source.gsub(%r{http://(www.)*}, 'https://'))
           end
         end
       end

From af0eff51a3abdc09f77bb0e8c67582e0449f8823 Mon Sep 17 00:00:00 2001
From: Tim Smith <tsmith84@gmail.com>
Date: Tue, 16 Jul 2019 10:37:41 -0700
Subject: [PATCH 3/3] Update comments with real examples

Signed-off-by: Tim Smith <tsmith@chef.io>
---
 lib/rubocop/cop/chef/insecure_cookbook_url.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/rubocop/cop/chef/insecure_cookbook_url.rb b/lib/rubocop/cop/chef/insecure_cookbook_url.rb
index 0a714e99e..5cc383f7c 100644
--- a/lib/rubocop/cop/chef/insecure_cookbook_url.rb
+++ b/lib/rubocop/cop/chef/insecure_cookbook_url.rb
@@ -27,8 +27,8 @@ module Chef
       #   source_url 'http://gitlab.com/something/something'
       #
       #   # good
-
-      #   source 'https://supermarket.chef.io'
+      #   source_url 'http://github.com/something/something'
+      #   source_url 'http://gitlab.com/something/something'
       #
       class InsecureCookbookURL < Cop
         MSG = 'Insecure http Github or Gitlab URLs for metadata source_url/issues_url fields'.freeze