Skip to main content

alint_rules/
file_content_forbidden.rs

1//! `file_content_forbidden` — files in scope must NOT match a regex.
2
3use alint_core::{Context, Error, Level, Result, Rule, RuleSpec, Scope, Violation};
4use regex::Regex;
5use serde::Deserialize;
6
7#[derive(Debug, Deserialize)]
8struct Options {
9    pattern: String,
10}
11
12#[derive(Debug)]
13pub struct FileContentForbiddenRule {
14    id: String,
15    level: Level,
16    policy_url: Option<String>,
17    message: Option<String>,
18    scope: Scope,
19    pattern_src: String,
20    pattern: Regex,
21}
22
23impl Rule for FileContentForbiddenRule {
24    fn id(&self) -> &str {
25        &self.id
26    }
27    fn level(&self) -> Level {
28        self.level
29    }
30    fn policy_url(&self) -> Option<&str> {
31        self.policy_url.as_deref()
32    }
33
34    fn evaluate(&self, ctx: &Context<'_>) -> Result<Vec<Violation>> {
35        let mut violations = Vec::new();
36        for entry in ctx.index.files() {
37            if !self.scope.matches(&entry.path) {
38                continue;
39            }
40            let full = ctx.root.join(&entry.path);
41            let bytes = match std::fs::read(&full) {
42                Ok(b) => b,
43                Err(e) => {
44                    violations.push(
45                        Violation::new(format!("could not read file: {e}"))
46                            .with_path(entry.path.clone()),
47                    );
48                    continue;
49                }
50            };
51            let Ok(text) = std::str::from_utf8(&bytes) else {
52                // Non-UTF-8 files are silently skipped; they can't contain a
53                // text regex match. Use `file_is_text` to flag binaries.
54                continue;
55            };
56            if let Some(m) = self.pattern.find(text) {
57                let line = text[..m.start()].matches('\n').count() + 1;
58                let msg = self
59                    .message
60                    .clone()
61                    .unwrap_or_else(|| format!("forbidden pattern /{}/ found", self.pattern_src));
62                violations.push(
63                    Violation::new(msg)
64                        .with_path(entry.path.clone())
65                        .with_location(line, 1),
66                );
67            }
68        }
69        Ok(violations)
70    }
71}
72
73pub fn build(spec: &RuleSpec) -> Result<Box<dyn Rule>> {
74    let Some(paths) = &spec.paths else {
75        return Err(Error::rule_config(
76            &spec.id,
77            "file_content_forbidden requires a `paths` field",
78        ));
79    };
80    let opts: Options = spec
81        .deserialize_options()
82        .map_err(|e| Error::rule_config(&spec.id, format!("invalid options: {e}")))?;
83    let pattern = Regex::new(&opts.pattern)
84        .map_err(|e| Error::rule_config(&spec.id, format!("invalid pattern: {e}")))?;
85    Ok(Box::new(FileContentForbiddenRule {
86        id: spec.id.clone(),
87        level: spec.level,
88        policy_url: spec.policy_url.clone(),
89        message: spec.message.clone(),
90        scope: Scope::from_paths_spec(paths)?,
91        pattern_src: opts.pattern,
92        pattern,
93    }))
94}
95
96#[cfg(test)]
97mod tests {
98    use super::*;
99    use crate::test_support::{ctx, spec_yaml, tempdir_with_files};
100
101    #[test]
102    fn build_rejects_missing_paths_field() {
103        let spec = spec_yaml(
104            "id: t\n\
105             kind: file_content_forbidden\n\
106             pattern: \"X\"\n\
107             level: error\n",
108        );
109        assert!(build(&spec).is_err());
110    }
111
112    #[test]
113    fn build_rejects_invalid_regex() {
114        let spec = spec_yaml(
115            "id: t\n\
116             kind: file_content_forbidden\n\
117             paths: \"**/*\"\n\
118             pattern: \"[bad\"\n\
119             level: error\n",
120        );
121        assert!(build(&spec).is_err());
122    }
123
124    #[test]
125    fn evaluate_fires_on_forbidden_match_with_line_number() {
126        let spec = spec_yaml(
127            "id: t\n\
128             kind: file_content_forbidden\n\
129             paths: \"src/**/*.rs\"\n\
130             pattern: \"\\\\bTODO\\\\b\"\n\
131             level: error\n",
132        );
133        let rule = build(&spec).unwrap();
134        let (tmp, idx) = tempdir_with_files(&[(
135            "src/main.rs",
136            b"fn main() {\n    let x = 1;\n    // TODO\n}\n",
137        )]);
138        let v = rule.evaluate(&ctx(tmp.path(), &idx)).unwrap();
139        assert_eq!(v.len(), 1);
140        assert_eq!(v[0].line, Some(3), "violation should point at line 3");
141    }
142
143    #[test]
144    fn evaluate_passes_when_pattern_absent() {
145        let spec = spec_yaml(
146            "id: t\n\
147             kind: file_content_forbidden\n\
148             paths: \"src/**/*.rs\"\n\
149             pattern: \"\\\\bTODO\\\\b\"\n\
150             level: error\n",
151        );
152        let rule = build(&spec).unwrap();
153        let (tmp, idx) =
154            tempdir_with_files(&[("src/main.rs", b"fn main() {\n    let x = 1;\n}\n")]);
155        let v = rule.evaluate(&ctx(tmp.path(), &idx)).unwrap();
156        assert!(v.is_empty(), "clean file should pass: {v:?}");
157    }
158
159    #[test]
160    fn evaluate_silent_on_non_utf8() {
161        let spec = spec_yaml(
162            "id: t\n\
163             kind: file_content_forbidden\n\
164             paths: \"**/*\"\n\
165             pattern: \"X\"\n\
166             level: error\n",
167        );
168        let rule = build(&spec).unwrap();
169        let (tmp, idx) = tempdir_with_files(&[("img.bin", &[0xff, 0xfe])]);
170        let v = rule.evaluate(&ctx(tmp.path(), &idx)).unwrap();
171        assert!(v.is_empty());
172    }
173}