lint: Require access_message to access Message objects.

2017-01-19 15:59:06 -08:00 · 2017-01-19 15:59:06 -08:00 · d091691b3d
parent 477b4af39d
commit d091691b3d
1 changed files with 5 additions and 0 deletions
--- a/tools/lint-all
+++ b/tools/lint-all
@ -344,6 +344,11 @@ def build_custom_checkers(by_lang):
         '''Do not call self.client directly for put/patch/post/get.
    See WRAPPER_COMMENT in test_helpers.py for details.
    '''},
+        # Directly fetching Message objects in e.g. views code is often a security bug.
+        {'pattern': '[^r][M]essage.objects.get',
+         'exclude': set(["zerver/tests", "zerver/worker/queue_processors.py"]),
+         'description': 'Please use access_message() to fetch Message objects',
+        },
        # This rule might give false positives in virtualenv setup files which should be excluded,
        # and comments which should be rewritten to avoid use of "python2", "python3", etc.
        {'pattern': 'python[23]',