Sign upLogin

CommunityGrows/communitygrows

View on GitHub
Star
app/models/category.rb

Summary

Maintainability
A
0 mins
Test Coverage

Possible SQL injection
Open

            docs = category.documents.reorder("#{sort_by} DESC")
Severity: Minor
Found in app/models/category.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Possible SQL injection
Open

            docs = category.documents.reorder("#{sort_by} ASC")
Severity: Minor
Found in app/models/category.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Method Category.update_category_order is defined at both app/models/category.rb:20 and app/models/category.rb:34.
Open

    def self.update_category_order(order)
Severity: Minor
Found in app/models/category.rb by rubocop

This cop checks for duplicated instance (or singleton) method definitions.

Example:

# bad

def duplicated
  1
end

def duplicated
  2
end

Example:

# bad

def duplicated
  1
end

alias duplicated other_duplicated

Example:

# good

def duplicated
  1
end

def other_duplicated
  2
end

end at 38, 4 is not aligned with def at 34, 1.
Open

    end
Severity: Minor
Found in app/models/category.rb by rubocop

This cop checks whether the end keywords of method definitions are aligned properly.

Two modes are supported through the EnforcedStyleAlignWith configuration parameter. If it's set to start_of_line (which is the default), the end shall be aligned with the start of the line where the def keyword is. If it's set to def, the end shall be aligned with the def keyword.

Example: EnforcedStyleAlignWith: startofline (default)

# bad

private def foo
            end

# good

private def foo
end

Example: EnforcedStyleAlignWith: def

# bad

private def foo
            end

# good

private def foo
        end

end at 7, 3 is not aligned with def at 4, 1.
Open

      end
Severity: Minor
Found in app/models/category.rb by rubocop

This cop checks whether the end keywords of method definitions are aligned properly.

Two modes are supported through the EnforcedStyleAlignWith configuration parameter. If it's set to start_of_line (which is the default), the end shall be aligned with the start of the line where the def keyword is. If it's set to def, the end shall be aligned with the def keyword.

Example: EnforcedStyleAlignWith: startofline (default)

# bad

private def foo
            end

# good

private def foo
end

Example: EnforcedStyleAlignWith: def

# bad

private def foo
            end

# good

private def foo
        end

end at 37, 8 is not aligned with order.each_with_index do |id, i| at 35, 2.
Open

        end
Severity: Minor
Found in app/models/category.rb by rubocop

This cop checks whether the end keywords are aligned properly for do end blocks.

Three modes are supported through the EnforcedStyleAlignWith configuration parameter:

start_of_block : the end shall be aligned with the start of the line where the do appeared.

start_of_line : the end shall be aligned with the start of the line where the expression started.

either (which is the default) : the end is allowed to be in either location. The autofixer will default to start_of_line.

Example: EnforcedStyleAlignWith: either (default)

# bad

foo.bar
   .each do
     baz
       end

# good

variable = lambda do |i|
  i
end

Example: EnforcedStyleAlignWith: startofblock

# bad

foo.bar
   .each do
     baz
       end

# good

foo.bar
  .each do
     baz
   end

Example: EnforcedStyleAlignWith: startofline

# bad

foo.bar
   .each do
     baz
       end

# good

foo.bar
  .each do
     baz
end

There are no issues that match your filters.

Category
Status