Render path contains parameter value Open
render "sandbox/#{params[:template]}/index"
- Read upRead up
- Exclude checks
When a call to render
uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
This warning is shown whenever the path to be rendered is not a static string or symbol.
These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.
Render path contains parameter value Open
render "sandbox/#{params[:template]}"
- Read upRead up
- Exclude checks
When a call to render
uses a dynamically generated path, template name, file name, or action, there is the possibility that a user can access templates that should be restricted. The issue may be worse if those templates execute code or modify the database.
This warning is shown whenever the path to be rendered is not a static string or symbol.
These warnings are often false positives, however, because it can be difficult to manipulate Rails' assumptions about paths to perform malicious behavior. Reports of dynamic render paths should be checked carefully to see if they can actually be manipulated maliciously by the user.
Method show
has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring. Open
def show
if params[:template].index('.') # CVE-2014-0130
render action: "index"
elsif lookup_context.exists?("sandbox/#{params[:template]}")
if params[:template] == "index"
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Line is too long. [106/100] (https://github.com/bbatsov/ruby-style-guide#80-character-limits) Open
@templates = Dir.glob(Rails.root.join('app', 'views', 'sandbox', '*.html.erb').to_s).map do |filename|
- Exclude checks