bashrs 6.66.0

Rust-to-Shell transpiler for deterministic bootstrap scripts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! REL005: Temp file with predictable name
//!
//! **Rule**: Detect hardcoded temp file paths like `/tmp/foo` instead of `mktemp`
//!
//! **Why this matters**:
//! Hardcoded temp file names (e.g., `/tmp/foo`, `/tmp/myapp.log`) are
//! predictable, creating security risks (symlink attacks) and reliability
//! issues (multiple instances overwrite each other). Use `mktemp` for
//! unique, unpredictable temp files.
//!
//! **Auto-fix**: Safe - suggest replacing with `mktemp`
//!
//! ## Examples
//!
//! Bad (predictable, vulnerable to symlink attacks):
//! ```bash
//! echo "data" > /tmp/myapp.log
//! tmpfile=/tmp/output.txt
//! ```
//!
//! Good (unique, secure):
//! ```bash
//! tmpfile=$(mktemp)
//! echo "data" > "$tmpfile"
//! ```

use crate::linter::{Diagnostic, Fix, LintResult, Severity, Span};
use regex::Regex;

/// Check for hardcoded temp file paths
static PATTERN: std::sync::LazyLock<Regex> =
    std::sync::LazyLock::new(|| Regex::new(r"/tmp/[a-zA-Z_][a-zA-Z0-9_.\-]*").unwrap());

pub fn check(source: &str) -> LintResult {
    let mut result = LintResult::new();

    // Match hardcoded /tmp/ paths in assignments or redirections
    // But not /tmp itself or /tmp/ alone
    let pattern = &*PATTERN;

    for (line_num, line) in source.lines().enumerate() {
        let trimmed = line.trim_start();

        // Skip comments
        if trimmed.starts_with('#') {
            continue;
        }

        // Skip lines that already use mktemp
        if line.contains("mktemp") {
            continue;
        }

        // Skip trap cleanup lines (they reference temp files legitimately)
        if trimmed.starts_with("trap ") {
            continue;
        }

        for m in pattern.find_iter(line) {
            let path = m.as_str();

            // Skip /tmp/. and /tmp/.. path components
            if path == "/tmp/." || path == "/tmp/.." {
                continue;
            }

            let start_col = m.start() + 1;
            let end_col = m.end() + 1;

            let diagnostic = Diagnostic::new(
                "REL005",
                Severity::Warning,
                format!(
                    "Predictable temp file `{}`. Use `mktemp` for unique, secure temp files.",
                    path
                ),
                Span::new(line_num + 1, start_col, line_num + 1, end_col),
            )
            .with_fix(Fix::new("$(mktemp)".to_string()));

            result.add(diagnostic);
        }
    }

    result
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_rel005_detects_hardcoded_tmp() {
        let script = "tmpfile=/tmp/output.txt";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 1);
        assert_eq!(result.diagnostics[0].code, "REL005");
        assert_eq!(result.diagnostics[0].severity, Severity::Warning);
    }

    #[test]
    fn test_rel005_provides_fix() {
        let script = "tmpfile=/tmp/output.txt";
        let result = check(script);
        let fix = result.diagnostics[0].fix.as_ref().unwrap();
        assert_eq!(fix.replacement, "$(mktemp)");
    }

    #[test]
    fn test_rel005_no_flag_with_mktemp() {
        let script = "tmpfile=$(mktemp /tmp/myapp.XXXXXX)";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_rel005_no_false_positive_comment() {
        let script = "# tmpfile=/tmp/output.txt";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_rel005_detects_redirect_to_tmp() {
        let script = "echo data > /tmp/myapp.log";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 1);
    }

    #[test]
    fn test_rel005_no_flag_trap_cleanup() {
        let script = "trap 'rm -f /tmp/mylock' EXIT";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 0);
    }

    #[test]
    fn test_rel005_detects_multiple_tmp_files() {
        let script = "a=/tmp/foo\nb=/tmp/bar";
        let result = check(script);
        assert_eq!(result.diagnostics.len(), 2);
    }
}