Merge branch 'rs-more-public-send-whitelists' into 'master'

Whitelist or fix additional `Gitlab/PublicSend` cop violations

See merge request !13467

.rubocop.yml

@@ -1178,29 +1178,33 @@ RSpec/VerifiedDoubles:
 GitlabSecurity/DeepMunge:
   Enabled: true
   Exclude:
-    - 'spec/**/*'
     - 'lib/**/*.rake'
+    - 'spec/**/*'
 
 GitlabSecurity/PublicSend:
   Enabled: true
   Exclude:
-    - 'spec/**/*'
+    - 'config/**/*'
+    - 'db/**/*'
+    - 'features/**/*'
     - 'lib/**/*.rake'
+    - 'qa/**/*'
+    - 'spec/**/*'
 
 GitlabSecurity/RedirectToParamsUpdate:
   Enabled: true
   Exclude:
-    - 'spec/**/*'
     - 'lib/**/*.rake'
+    - 'spec/**/*'
 
 GitlabSecurity/SqlInjection:
   Enabled: true
   Exclude:
-    - 'spec/**/*'
     - 'lib/**/*.rake'
+    - 'spec/**/*'
 
 GitlabSecurity/SystemCommandInjection:
   Enabled: true
   Exclude:
-    - 'spec/**/*'
     - 'lib/**/*.rake'
+    - 'spec/**/*'

app/controllers/concerns/issuable_actions.rb

@@ -10,7 +10,7 @@ module IssuableActions
   def destroy
     issuable.destroy
     destroy_method = "destroy_#{issuable.class.name.underscore}".to_sym
-    TodoService.new.public_send(destroy_method, issuable, current_user)
+    TodoService.new.public_send(destroy_method, issuable, current_user) # rubocop:disable GitlabSecurity/PublicSend
 
     name = issuable.human_class_name
     flash[:notice] = "The #{name} was successfully deleted."

app/controllers/import/github_controller.rb

@@ -64,7 +64,7 @@ def go_to_provider_for_permissions
   end
 
   def import_enabled?
-    __send__("#{provider}_import_enabled?")
+    __send__("#{provider}_import_enabled?") # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def new_import_url

app/controllers/uploads_controller.rb

@@ -89,7 +89,7 @@ def uploader
 
       @uploader.retrieve_from_store!(params[:filename])
     else
-      @uploader = @model.send(upload_mount)
+      @uploader = @model.public_send(upload_mount) # rubocop:disable GitlabSecurity/PublicSend
 
       redirect_to @uploader.url unless @uploader.file_storage?
     end

app/helpers/commits_helper.rb

@@ -128,10 +128,10 @@ def commit_signature_badge_classes(additional_classes)
   #  avatar: true will prepend the avatar image
   #  size:   size of the avatar image in px
   def commit_person_link(commit, options = {})
-    user = commit.send(options[:source])
+    user = commit.public_send(options[:source]) # rubocop:disable GitlabSecurity/PublicSend
 
-    source_name = clean(commit.send "#{options[:source]}_name".to_sym)
-    source_email = clean(commit.send "#{options[:source]}_email".to_sym)
+    source_name  = clean(commit.public_send(:"#{options[:source]}_name"))  # rubocop:disable GitlabSecurity/PublicSend
+    source_email = clean(commit.public_send(:"#{options[:source]}_email")) # rubocop:disable GitlabSecurity/PublicSend
 
     person_name = user.try(:name) || source_name
 

app/helpers/import_helper.rb

@@ -5,7 +5,7 @@ def import_project_target(owner, name)
   end
 
   def provider_project_link(provider, path_with_namespace)
-    url = __send__("#{provider}_project_url", path_with_namespace)
+    url = __send__("#{provider}_project_url", path_with_namespace) # rubocop:disable GitlabSecurity/PublicSend
 
     link_to path_with_namespace, url, target: '_blank', rel: 'noopener noreferrer'
   end

app/helpers/issuables_helper.rb

@@ -174,7 +174,14 @@ def issuables_state_counter_text(issuable_type, state)
   end
 
   def assigned_issuables_count(issuable_type)
-    current_user.public_send("assigned_open_#{issuable_type}_count")
+    case issuable_type
+    when :issues
+      current_user.assigned_open_issues_count
+    when :merge_requests
+      current_user.assigned_open_merge_requests_count
+    else
+      raise ArgumentError, "invalid issuable `#{issuable_type}`"
+    end
   end
 
   def issuable_filter_params
@@ -298,10 +305,6 @@ def sidebar_gutter_collapsed?
     cookies[:collapsed_gutter] == 'true'
   end
 
-  def base_issuable_scope(issuable)
-    issuable.project.send(issuable.class.table_name).send(issuable_state_scope(issuable))
-  end
-
   def issuable_state_scope(issuable)
     if issuable.respond_to?(:merged?) && issuable.merged?
       :merged

app/helpers/milestones_helper.rb

@@ -32,7 +32,18 @@ def milestones_browse_issuables_path(milestone, state: nil, type:)
   end
 
   def milestone_issues_by_label_count(milestone, label, state:)
-    milestone.issues.with_label(label.title).send(state).size
+    issues = milestone.issues.with_label(label.title)
+    issues =
+      case state
+      when :opened
+        issues.opened
+      when :closed
+        issues.closed
+      else
+        raise ArgumentError, "invalid milestone state `#{state}`"
+      end
+
+    issues.size
   end
 
   # Returns count of milestones for different states

app/helpers/projects_helper.rb

@@ -149,15 +149,16 @@ def project_feature_access_select(field)
     # Don't show option "everyone with access" if project is private
     options = project_feature_options
 
+    level = @project.project_feature.public_send(field) # rubocop:disable GitlabSecurity/PublicSend
+
     if @project.private?
-      level = @project.project_feature.send(field)
       disabled_option = ProjectFeature::ENABLED
       highest_available_option = ProjectFeature::PRIVATE if level == disabled_option
     end
 
     options = options_for_select(
       options.invert,
-      selected: highest_available_option || @project.project_feature.public_send(field),
+      selected: highest_available_option || level,
       disabled: disabled_option
     )
 
@@ -488,7 +489,7 @@ def current_ref
   end
 
   def filename_path(project, filename)
-    if project && blob = project.repository.send(filename)
+    if project && blob = project.repository.public_send(filename) # rubocop:disable GitlabSecurity/PublicSend
       project_blob_path(
         project,
         tree_join(project.default_branch, blob.name)

app/models/commit.rb

@@ -200,7 +200,7 @@ def notes_with_associations
   end
 
   def method_missing(m, *args, &block)
-    @raw.send(m, *args, &block)
+    @raw.__send__(m, *args, &block) # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def respond_to_missing?(method, include_private = false)

app/models/concerns/cache_markdown_field.rb

@@ -78,7 +78,7 @@ def refresh_markdown_cache!(do_update: false)
   def cached_html_up_to_date?(markdown_field)
     html_field = cached_markdown_fields.html_field(markdown_field)
 
-    cached = cached_html_for(markdown_field).present? && __send__(markdown_field).present?
+    cached = cached_html_for(markdown_field).present? && __send__(markdown_field).present? # rubocop:disable GitlabSecurity/PublicSend
     return false unless cached
 
     markdown_changed = attribute_changed?(markdown_field) || false
@@ -93,14 +93,14 @@ def invalidated_markdown_cache?
   end
 
   def attribute_invalidated?(attr)
-    __send__("#{attr}_invalidated?")
+    __send__("#{attr}_invalidated?") # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def cached_html_for(markdown_field)
     raise ArgumentError.new("Unknown field: #{field}") unless
       cached_markdown_fields.markdown_fields.include?(markdown_field)
 
-    __send__(cached_markdown_fields.html_field(markdown_field))
+    __send__(cached_markdown_fields.html_field(markdown_field)) # rubocop:disable GitlabSecurity/PublicSend
   end
 
   included do

app/models/concerns/internal_id.rb

@@ -9,7 +9,7 @@ module InternalId
   def set_iid
     if iid.blank?
       parent = project || group
-      records = parent.send(self.class.name.tableize)
+      records = parent.public_send(self.class.name.tableize) # rubocop:disable GitlabSecurity/PublicSend
       records = records.with_deleted if self.paranoid?
       max_iid = records.maximum(:iid)
 

app/models/concerns/mentionable.rb

@@ -56,7 +56,7 @@ def all_references(current_user = nil, extractor: nil)
     end
 
     self.class.mentionable_attrs.each do |attr, options|
-      text    = __send__(attr)
+      text    = __send__(attr) # rubocop:disable GitlabSecurity/PublicSend
       options = options.merge(
         cache_key: [self, attr],
         author: author,
@@ -100,7 +100,7 @@ def matches_cross_reference_regex?
                         end
 
     self.class.mentionable_attrs.any? do |attr, _|
-      __send__(attr) =~ reference_pattern
+      __send__(attr) =~ reference_pattern # rubocop:disable GitlabSecurity/PublicSend
     end
   end
 

app/models/concerns/participable.rb

@@ -82,7 +82,7 @@ def raw_participants(current_user = nil)
           if attr.respond_to?(:call)
             source.instance_exec(current_user, ext, &attr)
           else
-            process << source.__send__(attr)
+            process << source.__send__(attr) # rubocop:disable GitlabSecurity/PublicSend
           end
         end
       when Enumerable, ActiveRecord::Relation

app/models/concerns/project_features_compatibility.rb

@@ -32,6 +32,6 @@ def write_feature_attribute(field, value)
     build_project_feature unless project_feature
 
     access_level = Gitlab::Utils.to_boolean(value) ? ProjectFeature::ENABLED : ProjectFeature::DISABLED
-    project_feature.send(:write_attribute, field, access_level)
+    project_feature.__send__(:write_attribute, field, access_level) # rubocop:disable GitlabSecurity/PublicSend
   end
 end

app/models/network/commit.rb

@@ -12,7 +12,7 @@ def initialize(raw_commit)
     end
 
     def method_missing(m, *args, &block)
-      @commit.send(m, *args, &block)
+      @commit.__send__(m, *args, &block) # rubocop:disable GitlabSecurity/PublicSend
     end
 
     def space

app/models/project.rb

@@ -920,14 +920,14 @@ def owner
   end
 
   def execute_hooks(data, hooks_scope = :push_hooks)
-    hooks.send(hooks_scope).each do |hook|
+    hooks.public_send(hooks_scope).each do |hook| # rubocop:disable GitlabSecurity/PublicSend
       hook.async_execute(data, hooks_scope.to_s)
     end
   end
 
   def execute_services(data, hooks_scope = :push_hooks)
     # Call only service hooks that are active for this scope
-    services.send(hooks_scope).each do |service|
+    services.public_send(hooks_scope).each do |service| # rubocop:disable GitlabSecurity/PublicSend
       service.async_execute(data)
     end
   end

app/models/project_services/chat_notification_service.rb

@@ -115,7 +115,7 @@ def get_message(object_kind, data)
 
   def get_channel_field(event)
     field_name = event_channel_name(event)
-    self.public_send(field_name)
+    self.public_send(field_name) # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def build_event_channels

app/models/project_services/hipchat_service.rb

@@ -53,7 +53,7 @@ def execute(data)
     return unless supported_events.include?(data[:object_kind])
     message = create_message(data)
     return unless message.present?
-    gate[room].send('GitLab', message, message_options(data))
+    gate[room].send('GitLab', message, message_options(data)) # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def test(data)

app/models/protectable_dropdown.rb

@@ -1,5 +1,9 @@
 class ProtectableDropdown
+  REF_TYPES = %i[branches tags].freeze
+
   def initialize(project, ref_type)
+    raise ArgumentError, "invalid ref type `#{ref_type}`" unless ref_type.in?(REF_TYPES)
+
     @project = project
     @ref_type = ref_type
   end
@@ -16,15 +20,15 @@ def hash
   private
 
   def refs
-    @project.repository.public_send(@ref_type)
+    @project.repository.public_send(@ref_type) # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def ref_names
     refs.map(&:name)
   end
 
   def protections
-    @project.public_send("protected_#{@ref_type}")
+    @project.public_send("protected_#{@ref_type}") # rubocop:disable GitlabSecurity/PublicSend
   end
 
   def non_wildcard_protected_ref_names

app/models/repository.rb

@@ -48,7 +48,9 @@ def self.cache_method(name, fallback: nil, memoize_only: false)
     alias_method(original, name)
 
     define_method(name) do
-      cache_method_output(name, fallback: fallback, memoize_only: memoize_only) { __send__(original) }
+      cache_method_output(name, fallback: fallback, memoize_only: memoize_only) do
+        __send__(original) # rubocop:disable GitlabSecurity/PublicSend
+      end
     end
   end
 
@@ -443,9 +445,9 @@ def after_remove_branch
   def method_missing(m, *args, &block)
     if m == :lookup && !block_given?
       lookup_cache[m] ||= {}
-      lookup_cache[m][args.join(":")] ||= raw_repository.send(m, *args, &block)
+      lookup_cache[m][args.join(":")] ||= raw_repository.__send__(m, *args, &block) # rubocop:disable GitlabSecurity/PublicSend
     else
-      raw_repository.send(m, *args, &block)
+      raw_repository.__send__(m, *args, &block) # rubocop:disable GitlabSecurity/PublicSend
     end
   end
 
@@ -776,7 +778,7 @@ def multi_action(
       end
 
       actions.each do |options|
-        index.public_send(options.delete(:action), options)
+        index.public_send(options.delete(:action), options) # rubocop:disable GitlabSecurity/PublicSend
       end
 
       options = {

app/models/user.rb

@@ -1070,7 +1070,7 @@ def ci_projects_union
   # Added according to https://github.com/plataformatec/devise/blob/7df57d5081f9884849ca15e4fde179ef164a575f/README.md#activejob-integration
   def send_devise_notification(notification, *args)
     return true unless can?(:receive_notifications)
-    devise_mailer.send(notification, self, *args).deliver_later
+    devise_mailer.__send__(notification, self, *args).deliver_later # rubocop:disable GitlabSecurity/PublicSend
   end
 
   # This works around a bug in Devise 4.2.0 that erroneously causes a user to

app/services/akismet_service.rb

@@ -58,7 +58,7 @@ def submit(type)
     }
 
     begin
-      akismet_client.public_send(type, options[:ip_address], options[:user_agent], params)
+      akismet_client.public_send(type, options[:ip_address], options[:user_agent], params) # rubocop:disable GitlabSecurity/PublicSend
       true
     rescue => e
       Rails.logger.error("Unable to connect to Akismet: #{e}, skipping!")

app/services/ci/retry_build_service.rb

@@ -23,7 +23,7 @@ def reprocess!(build)
       end
 
       attributes = CLONE_ACCESSORS.map do |attribute|
-        [attribute, build.send(attribute)]
+        [attribute, build.public_send(attribute)] # rubocop:disable GitlabSecurity/PublicSend
       end
 
       attributes.push([:user, current_user])

app/services/commits/change_service.rb

@@ -11,6 +11,7 @@ def initialize(*args)
     def commit_change(action)
       raise NotImplementedError unless repository.respond_to?(action)
 
+      # rubocop:disable GitlabSecurity/PublicSend
       repository.public_send(
         action,
         current_user,

app/services/issuable_base_service.rb

@@ -338,7 +338,7 @@ def handle_common_system_notes(issuable, old_labels: [])
 
   def invalidate_cache_counts(issuable, users: [], skip_project_cache: false)
     users.each do |user|
-      user.public_send("invalidate_#{issuable.model_name.singular}_cache_counts")
+      user.public_send("invalidate_#{issuable.model_name.singular}_cache_counts") # rubocop:disable GitlabSecurity/PublicSend
     end
 
     unless skip_project_cache

app/services/members/destroy_service.rb

@@ -31,7 +31,7 @@ def find_member!(scope)
         source.members.find_by(condition) ||
           source.requesters.find_by!(condition)
       else
-        source.public_send(scope).find_by!(condition)
+        source.public_send(scope).find_by!(condition) # rubocop:disable GitlabSecurity/PublicSend
       end
     end