Showing 591 of 591 total issues
Path Traversal in Sprockets Open
sprockets (3.7.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Regular Expression Denial of Service in websocket-extensions (RubyGem) Open
websocket-extensions (0.1.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-7663
Criticality: High
URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
Solution: upgrade to >= 0.1.5
Broken Access Control vulnerability in Active Job Open
activejob (4.2.7.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1
Revert libxml2 behavior in Nokogiri gem that could cause XSS Open
nokogiri (1.8.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-8048
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Solution: upgrade to >= 1.8.3
omniauth leaks authenticity token in callback params Open
omniauth (1.3.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-18076
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/867
Solution: upgrade to >= 1.3.2
Moderate severity vulnerability that affects nokogiri Open
nokogiri (1.8.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-18258
Criticality: Medium
URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Solution: upgrade to >= 1.8.2
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Open
nokogiri (1.8.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-14404
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Solution: upgrade to >= 1.8.5
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Nokogiri gem, via libxml, is affected by DoS vulnerabilities Open
nokogiri (1.8.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-15412
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.2
Denial of Service Vulnerability in Action View Open
actionview (4.2.7.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
rack-cors Gem Missing Anchor permits unauthorized CORS requests Open
rack-cors (0.4.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-11173
Criticality: High
URL: https://github.com/cyu/rack-cors/issues/86
Solution: upgrade to >= 0.4.1
XSS vulnerability in rails-html-sanitizer Open
rails-html-sanitizer (1.0.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3741
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Solution: upgrade to >= 1.0.4
Doorkeeper gem has stored XSS on authorization consent view Open
doorkeeper (4.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000088
Criticality: High
URL: https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/
Solution: upgrade to >= 4.2.6
Possible XSS vulnerability in Rack Open
rack (1.6.8)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Method role_ids_to_roles
has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def role_ids_to_roles
roles = []
role_id_params.each do |id|
next unless id.present?
role = Role.find(id) or next
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Block has too many lines. [29/25] Open
ActiveAdmin.register Report do
permit_params :name, :query, :shared, :user_id
hstore_editor
form do |f|
- Read upRead up
- Exclude checks
This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.
Method get_content_tag
has 5 arguments (exceeds 4 allowed). Consider refactoring. Open
def get_content_tag(element, adjusted_time, adjusted_time_str, ago, opts)
Similar blocks of code found in 2 locations. Consider refactoring. Open
b.wrapper tag: "div", class: "col-sm-9" do |ba|
ba.use :input, class: "form-control"
ba.use :error, wrap_with: { tag: "span", class: "help-block" }
ba.use :hint, wrap_with: { tag: "p", class: "help-block" }
end
- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 36.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication
's documentation for more information about tuning the mass threshold in your .codeclimate.yml
.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Similar blocks of code found in 2 locations. Consider refactoring. Open
b.wrapper tag: "div", class: "form-inline" do |ba|
ba.use :input, class: "form-control"
ba.use :error, wrap_with: { tag: "span", class: "help-block" }
ba.use :hint, wrap_with: { tag: "p", class: "help-block" }
end
- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 36.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication
's documentation for more information about tuning the mass threshold in your .codeclimate.yml
.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Method sort=
has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring. Open
def sort=(field)
sort_field = field || ""
direction = sort_field.start_with?("-") ? :desc : :asc
field_name = sort_field.gsub(/\A-/, "")
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"