.rubocop.yml

# This list was intially created by analyzing the last three months (51
# modules) committed to Metasploit Framework. Many, many older modules
# will have offenses, but this should at least provide a baseline for
# new modules.
#
# Updates to this file should include a 'Description' parameter for any
# explanation needed.

# inherit_from: .rubocop_todo.yml

AllCops:
  TargetRubyVersion: 2.6
  SuggestExtensions: false
  NewCops: disable

require:
  - ./lib/rubocop/cop/layout/module_hash_on_new_line.rb
  - ./lib/rubocop/cop/layout/module_hash_values_on_same_line.rb
  - ./lib/rubocop/cop/layout/module_description_indentation.rb
  - ./lib/rubocop/cop/layout/extra_spacing_with_bindata_ignored.rb
  - ./lib/rubocop/cop/lint/module_disclosure_date_format.rb
  - ./lib/rubocop/cop/lint/module_disclosure_date_present.rb
  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb

Layout/SpaceBeforeBrackets:
  Description: >-
    Disabled as it generates invalid code:
      https://github.com/rubocop-hq/rubocop/issues/9499
  Enabled: false

Lint/AmbiguousAssignment:
  Enabled: true

Lint/DeprecatedConstants:
  Enabled: true

Lint/DuplicateBranch:
  Description: >-
    Disabled as it causes a lot of noise around our current exception/error handling
  Enabled: false

Lint/DuplicateRegexpCharacterClassElement:
  Enabled: false

Lint/EmptyBlock:
  Enabled: false

Lint/EmptyClass:
  Enabled: false

Lint/LambdaWithoutLiteralBlock:
  Enabled: true

Lint/NoReturnInBeginEndBlocks:
  Enabled: true

Lint/NumberedParameterAssignment:
  Enabled: true

Lint/OrAssignmentToConstant:
  Enabled: true

Lint/RedundantDirGlobSort:
  Enabled: true

Lint/SymbolConversion:
  Enabled: true

Lint/ToEnumArguments:
  Enabled: true

Lint/TripleQuotes:
  Enabled: true

Lint/UnexpectedBlockArity:
  Enabled: true

Lint/UnmodifiedReduceAccumulator:
  Enabled: true

Style/ArgumentsForwarding:
  Enabled: true

Style/BlockComments:
  Description: >-
    Disabled as multiline comments are great for embedded code snippets/payloads that can
    be copy/pasted directly into a terminal etc.
  Enabled: false

Style/CaseLikeIf:
  Description: >-
    This would cause a lot of noise, and potentially introduce subtly different code when
    being auto fixed. Could potentially be enabled in isolation, but would require more
    consideration.
  Enabled: false

Style/CollectionCompact:
  Enabled: true

Style/DocumentDynamicEvalDefinition:
  Enabled: false

Style/EndlessMethod:
  Enabled: true

Style/HashExcept:
  Enabled: true

Style/IfWithBooleanLiteralBranches:
  Description: >-
    Most of the time this is a valid replacement. Although it can generate subtly different
    rewrites that might break code:
      2.7.2 :001 > foo = nil
      => nil
      2.7.2 :002 > (foo && foo['key'] == 'foo') ? true : false
      => false
      2.7.2 :003 > foo && foo['key'] == 'foo'
      => nil
  Enabled: false

Style/NegatedIfElseCondition:
  Enabled: false

Style/MultipleComparison:
  Description: >-
    Disabled as it generates invalid code:
      https://github.com/rubocop-hq/rubocop/issues/9520
    It may also introduce subtle semantic issues if automatically applied to the
    entire codebase without rigorous testing.
  Enabled: false

Style/NilLambda:
  Enabled: true

Style/RedundantArgument:
  Enabled: false

Style/RedundantAssignment:
  Description: >-
    Disabled as it sometimes improves the readability of code having an explicitly named
    response object, it also makes it easier to put a breakpoint between the assignment
    and return expression
  Enabled: false

Style/SwapValues:
  Enabled: false

Layout/ModuleHashOnNewLine:
  Enabled: true

Layout/ModuleHashValuesOnSameLine:
  Enabled: true

Layout/ModuleDescriptionIndentation:
  Enabled: true

Lint/ModuleDisclosureDateFormat:
  Enabled: true

Lint/ModuleDisclosureDatePresent:
  Include:
    # Only exploits require disclosure dates, but they can be present in auxiliary modules etc.
    - 'modules/exploits/**/*'

Lint/ModuleEnforceNotes:
  Include:
    # Only exploits and auxiliary modules require SideEffects to be listed.
    - 'modules/exploits/**/*'
    - 'modules/auxiliary/**/*'
    - 'modules/post/**/*'

Lint/DeprecatedGemVersion:
  Enabled: true
  Exclude:
    - 'metasploit-framework.gemspec'

Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
  Exclude:
    - 'modules/**/*'

Style/ClassAndModuleChildren:
  Enabled: false
  Description: 'Forced nesting is harmful for grepping and general code comprehension'

Metrics/AbcSize:
  Enabled: false
  Description: 'This is often a red-herring'

Metrics/CyclomaticComplexity:
  Enabled: false
  Description: 'This is often a red-herring'

Metrics/PerceivedComplexity:
  Enabled: false
  Description: 'This is often a red-herring'

Metrics/BlockNesting:
  Description: >-
    This is a good rule to follow, but will cause a lot of overhead introducing this rule.
  Enabled: false

Metrics/ParameterLists:
  Description: >-
    This is a good rule to follow, but will cause a lot of overhead introducing this rule.
    Increasing the max count for now
  Max: 8

Style/TernaryParentheses:
  Enabled: false
  Description: 'This outright produces bugs'

Style/FrozenStringLiteralComment:
  Enabled: false
  Description: 'We cannot support this yet without a lot of things breaking'

Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

Naming/HeredocDelimiterNaming:
  Description: >-
    Could be enabled in isolation with additional effort.
  Enabled: false

Naming/AccessorMethodName:
  Description: >-
    Disabled for now, as this naming convention is used in a lot of core library files.
    Could be enabled in isolation with additional effort.
  Enabled: false

Naming/ConstantName:
  Description: >-
    Disabled for now, Metasploit is unfortunately too inconsistent with its naming to introduce
    this. Definitely possible to enforce this in the future if need be.

    Examples:
        ManualRanking, LowRanking, etc.
        NERR_ClientNameNotFound
        HttpFingerprint
        CachedSize
        ErrUnknownTransferId
  Enabled: false

Naming/VariableNumber:
  Description: 'To make it easier to use reference code, disable this cop'
  Enabled: false

Style/NumericPredicate:
  Description: 'This adds no efficiency nor space saving'
  Enabled: false

Style/Documentation:
  Enabled: true
  Description: 'Most Metasploit modules do not have class documentation.'
  Exclude:
    - 'modules/**/*'
    - 'spec/file_fixtures/modules/**/*'

Layout/FirstArgumentIndentation:
  Enabled: true
  EnforcedStyle: consistent
  Description: 'Useful for the module hash to be indented consistently'

Layout/ArgumentAlignment:
  Enabled: true
  EnforcedStyle: with_first_argument
  Description: 'Useful for the module hash to be indented consistently'

Layout/FirstHashElementIndentation:
  Enabled: true
  EnforcedStyle: consistent
  Description: 'Useful for the module hash to be indented consistently'

Layout/FirstHashElementLineBreak:
  Enabled: true
  Description: 'Enforce consistency by breaking hash elements on to new lines'

Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
  Description: 'Almost all module metadata have space in brackets'

Style/GuardClause:
  Enabled: false
  Description: 'This often introduces bugs in tested code'

Style/EmptyLiteral:
  Enabled: false
  Description: 'This looks awkward when you mix empty and non-empty literals'

Style/NegatedIf:
  Enabled: false
  Description: 'This often introduces bugs in tested code'

Style/ConditionalAssignment:
  Enabled: false
  Description: 'This is confusing for folks coming from other languages'

Style/Encoding:
  Description: 'We prefer binary to UTF-8.'
  Enabled: false

Style/ParenthesesAroundCondition:
  Enabled: false
  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'

Style/StringConcatenation:
  Enabled: false
  Description: >-
    Disabled for now as it changes escape sequences when auto corrected:
      https://github.com/rubocop/rubocop/issues/9543

    Additionally seems to break with multiline string concatenation with trailing comments, example:
      payload = "\x12" + # Size
                "\x34" + # eip
                "\x56"   # etc
    With `rubocop -A` this will become:
      payload = "\u00124V"    # etc

Style/TrailingCommaInArrayLiteral:
  Enabled: false
  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

Layout/LineLength:
  Description: >-
    Metasploit modules often pattern match against very
    long strings when identifying targets.
  Enabled: false

Metrics/BlockLength:
  Enabled: true
  Description: >-
    While the style guide suggests 10 lines, exploit definitions
    often exceed 200 lines.
  Max: 300

Metrics/MethodLength:
  Enabled: true
  Description: >-
    While the style guide suggests 10 lines, exploit definitions
    often exceed 200 lines.
  Max: 300

Naming/MethodParameterName:
  Enabled: true
  Description: 'Whoever made this requirement never looked at crypto methods, IV'
  MinNameLength: 2

# %q() is super useful for long strings split over multiple lines and
# is very common in module constructors for things like descriptions
Style/RedundantPercentQ:
  Enabled: false

Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

Layout/FirstArrayElementLineBreak:
  Enabled: true
  Description: 'This cop checks for a line break before the first element in a multi-line array.'

Layout/FirstArrayElementIndentation:
  Enabled: true
  EnforcedStyle: consistent
  Description: 'Useful to force values within the register_options array to have sane indentation'

Layout/EmptyLinesAroundClassBody:
  Enabled: false
  Description: 'these are used to increase readability'

Layout/EmptyLinesAroundMethodBody:
  Enabled: true

Layout/ExtraSpacingWithBinDataIgnored:
  Description: 'Do not use unnecessary spacing.'
  Enabled: true
  # When true, allows most uses of extra spacing if the intent is to align
  # things with the previous or next line, not counting empty lines or comment
  # lines.
  AllowForAlignment: false
  # When true, allows things like 'obj.meth(arg)  # comment',
  # rather than insisting on 'obj.meth(arg) # comment'.
  # If done for alignment, either this OR AllowForAlignment will allow it.
  AllowBeforeTrailingComments: true
  # When true, forces the alignment of `=` in assignments on consecutive lines.
  ForceEqualSignAlignment: false

Style/For:
  Enabled: false
  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'

Style/WordArray:
  Enabled: false
  Description: 'Metasploit prefers consistent use of []'

Style/IfUnlessModifier:
  Enabled: false
  Description: 'This style might save a couple of lines, but often makes code less clear'

Style/PercentLiteralDelimiters:
  Description: 'Use `%`-literal delimiters consistently.'
  Enabled: true
  # Specify the default preferred delimiter for all types with the 'default' key
  # Override individual delimiters (even with default specified) by specifying
  # an individual key
  PreferredDelimiters:
    default: ()
    '%i': '[]'
    '%I': '[]'
    '%r': '{}'
    '%w': '[]'
    '%W': '[]'
    '%q': '{}' # Chosen for module descriptions as () are frequently used characters, whilst {} are rarely used
  VersionChanged: '0.48.1'

Style/RedundantBegin:
  Enabled: true

Style/SafeNavigation:
  Description: >-
    This cop transforms usages of a method call safeguarded by
    a check for the existence of the object to
    safe navigation (`&.`).

    This has been disabled as in some scenarios it produced invalid code, and disobeyed the 'AllowedMethods'
    configuration.
  Enabled: false

Style/UnpackFirst:
  Description: >-
    Disabling to make it easier to copy/paste `unpack('h*')` expressions from code
    into a debugging REPL.
  Enabled: false