Fix critical security and performance issues in linting setup

SECURITY FIXES:
- Fix shell injection vulnerability in pre-commit hook by using printf and xargs
- Add proper quoting and error handling for filenames with spaces/special chars

PERFORMANCE OPTIMIZATIONS:
- Add binary file detection to skip non-text files in newline checks
- Limit file size checks to 10MB to prevent memory issues
- Read only last bytes for newline detection instead of entire file
- Align excluded directories with RuboCop config (add specs_e2e, e2e, spec/fixtures)

CI IMPROVEMENTS:
- Remove redundant lint execution from main workflow (keep dedicated lint.yml)
- Align Ruby versions across workflows (use 3.0.6 consistently)

CODE QUALITY:
- Rename rubocop:auto_correct to rubocop:autocorrect (match RuboCop conventions)
- Add comprehensive error handling to install-hooks script
- Check for git repository before installing hooks
- Handle permission errors gracefully

Author: justin808

.github/workflows/lint.yml

@@ -16,7 +16,7 @@ jobs:
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: '3.0'
+        ruby-version: '3.0.6'
         bundler-cache: true
 
     - name: Run RuboCop

.github/workflows/ruby.yml

@@ -19,8 +19,6 @@ jobs:
         bundler-cache: true
     - name: Run tests
       run: bundle exec rake
-    - name: Run lint checks
-      run: bundle exec rake lint
     - name: Run interaction tests
       run: ./specs_e2e/rails_6_1/test.sh
       env:
@@ -38,8 +36,6 @@ jobs:
         bundler-cache: true
     - name: Run tests
       run: bundle exec rake
-    - name: Run lint checks
-      run: bundle exec rake lint
     - run: gem uninstall -v '>= 2' -ax bundler || true
     - run: gem install bundler -v '< 2'
     - name: Run interaction tests
@@ -59,8 +55,6 @@ jobs:
         bundler-cache: true
     - name: Run tests
       run: bundle exec rake
-    - name: Run lint checks
-      run: bundle exec rake lint
     - run: gem uninstall -v '>= 2' -ax bundler || true
     - run: gem install bundler -v '< 2'
     - name: Run interaction tests

bin/install-hooks

@@ -3,6 +3,12 @@
 
 require 'fileutils'
 
+# Check if we're in a git repository
+unless File.exist?(File.expand_path('../.git', __dir__))
+  puts '❌ Error: Not in a git repository. Please run this from the project root.'
+  exit 1
+end
+
 hooks_dir = File.expand_path('../.git/hooks', __dir__)
 pre_commit_hook = File.join(hooks_dir, 'pre-commit')
 
@@ -21,9 +27,10 @@ hook_content = <<~HOOK
 
   # Run RuboCop on staged Ruby files
   echo "Running RuboCop on staged files..."
-  files=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\\.(rb|rake)$')
+  files=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\\.(rb|rake)$' || true)
   if [ -n "$files" ]; then
-    bundle exec rubocop $files
+    # Use printf to handle filenames with spaces and special characters safely
+    printf '%s\\n' "$files" | xargs bundle exec rubocop
     if [ $? -ne 0 ]; then
       echo "❌ RuboCop failed. Fix issues or run 'bundle exec rake lint:fix'"
       exit 1
@@ -34,13 +41,28 @@ hook_content = <<~HOOK
 HOOK
 
 # Create hooks directory if it doesn't exist
-FileUtils.mkdir_p(hooks_dir)
+begin
+  FileUtils.mkdir_p(hooks_dir)
+rescue SystemCallError => e
+  puts "❌ Error: Failed to create hooks directory: #{e.message}"
+  exit 1
+end
 
 # Write the pre-commit hook
-File.write(pre_commit_hook, hook_content)
+begin
+  File.write(pre_commit_hook, hook_content)
+rescue SystemCallError => e
+  puts "❌ Error: Failed to write pre-commit hook: #{e.message}"
+  exit 1
+end
 
 # Make it executable
-File.chmod(0o755, pre_commit_hook)
+begin
+  File.chmod(0o755, pre_commit_hook)
+rescue SystemCallError => e
+  puts "❌ Error: Failed to make hook executable: #{e.message}"
+  exit 1
+end
 
 puts '✅ Pre-commit hook installed successfully!'
 puts 'The hook will:'

rakelib/lint.rake

@@ -5,31 +5,57 @@ task :rubocop do
   sh 'bundle exec rubocop'
 end
 
-desc 'Run RuboCop with auto-correct'
-task 'rubocop:auto_correct' do
+desc 'Run RuboCop with autocorrect'
+task 'rubocop:autocorrect' do
   sh 'bundle exec rubocop -A'
 end
 
 desc 'Run all linters'
 task lint: :rubocop
 
 desc 'Auto-fix all linting issues'
-task 'lint:fix' => 'rubocop:auto_correct'
+task 'lint:fix' => 'rubocop:autocorrect'
+
+# Helper method to check if file is likely binary
+def binary_file?(filepath)
+  return false unless File.exist?(filepath)
+
+  # Read first 8192 bytes to check for binary content
+  File.open(filepath, 'rb') do |file|
+    chunk = file.read(8192) || ''
+    # File is binary if it contains null bytes or has high ratio of non-printable chars
+    return true if chunk.include?("\x00")
+
+    # Check for high ratio of non-printable characters
+    non_printable = chunk.count("\x01-\x08\x0B\x0C\x0E-\x1F\x7F-\xFF")
+    non_printable.to_f / chunk.size > 0.3
+  end
+rescue StandardError
+  # If we can't read the file, assume it's not something we should check
+  true
+end
+
+# Maximum file size to check (10MB)
+MAX_FILE_SIZE = 10 * 1024 * 1024
 
 desc 'Ensure all files end with newline'
 task :check_newlines do
   files_without_newline = []
 
-  # Define excluded directories
-  excluded_dirs = %w[vendor/ node_modules/ .git/ pkg/ tmp/ coverage/]
+  # Define excluded directories (matching RuboCop config)
+  excluded_dirs = %w[vendor/ node_modules/ .git/ pkg/ tmp/ coverage/ specs_e2e/ e2e/ spec/fixtures/]
 
   # Get all relevant files and filter out excluded directories more efficiently
   Dir.glob('**/*.{rb,rake,yml,yaml,md,gemspec,ru,erb,js,json}')
      .reject { |f| excluded_dirs.any? { |dir| f.start_with?(dir) } }
-     .select { |f| File.file?(f) }
+     .select { |f| File.file?(f) && File.size(f) < MAX_FILE_SIZE && !binary_file?(f) }
      .each do |file|
-    content = File.read(file)
-    files_without_newline << file unless content.empty? || content.end_with?("\n")
+    # Read only the last few bytes to check for newline
+    File.open(file, 'rb') do |f|
+      f.seek([f.size - 2, 0].max)
+      tail = f.read
+      files_without_newline << file unless tail.nil? || tail.empty? || tail.end_with?("\n")
+    end
   end
 
   if files_without_newline.any?
@@ -45,14 +71,15 @@ desc 'Fix files missing final newline'
 task :fix_newlines do
   fixed_files = []
 
-  # Define excluded directories (same as check_newlines)
-  excluded_dirs = %w[vendor/ node_modules/ .git/ pkg/ tmp/ coverage/]
+  # Define excluded directories (matching RuboCop config)
+  excluded_dirs = %w[vendor/ node_modules/ .git/ pkg/ tmp/ coverage/ specs_e2e/ e2e/ spec/fixtures/]
 
   # Get all relevant files and filter out excluded directories more efficiently
   Dir.glob('**/*.{rb,rake,yml,yaml,md,gemspec,ru,erb,js,json}')
      .reject { |f| excluded_dirs.any? { |dir| f.start_with?(dir) } }
-     .select { |f| File.file?(f) }
+     .select { |f| File.file?(f) && File.size(f) < MAX_FILE_SIZE && !binary_file?(f) }
      .each do |file|
+    # Read file to check if it needs a newline
     content = File.read(file)
     unless content.empty? || content.end_with?("\n")
       File.write(file, content + "\n")