dbauthzAuthorizationContext is a lint rule that protects the usage of system contexts. This is a dangerous pattern that can lead to leaking database information as a system context can be essentially "sudo". Anytime a function like "AsSystem" is used, it should be accompanied by a comment explainin
(m dsl.Matcher)
| 28 | // Anytime a function like "AsSystem" is used, it should be accompanied by a comment |
| 29 | // explaining why it's ok and a nolint. |
| 30 | func dbauthzAuthorizationContext(m dsl.Matcher) { |
| 31 | m.Import("context") |
| 32 | m.Import("github.com/coder/coder/v2/coderd/database/dbauthz") |
| 33 | |
| 34 | m.Match( |
| 35 | `dbauthz.$f($c)`, |
| 36 | ). |
| 37 | Where( |
| 38 | m["c"].Type.Implements("context.Context") && |
| 39 | // Only report on functions that start with "As". |
| 40 | m["f"].Text.Matches("^As") && |
| 41 | // Ignore test usages of dbauthz contexts. |
| 42 | !m.File().Name.Matches(`_test\.go$`), |
| 43 | ). |
| 44 | // Instructions for fixing the lint error should be included on the dangerous function. |
| 45 | Report("Using '$f' is dangerous and should be accompanied by a comment explaining why it's ok and a nolint.") |
| 46 | } |
| 47 | |
| 48 | // testingWithOwnerUser is a lint rule that detects potential permission bugs. |
| 49 | // Calling clitest.SetupConfig with a client authenticated as the Owner user |