app/controllers/api/file_upload_controller.rb
Parameter value used in file name Open
Open
File.open(dir_path.join(file_location), 'wb') do |f|
- Read upRead up
- Exclude checks
Using user input when accessing files (local or remote) will raise a warning in Brakeman.
For example
File.open("/tmp/#{cookie[:file]}")
will raise an error like
Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")
This type of vulnerability can be used to access arbitrary files on a server (including /etc/passwd
.
Method has too many lines. [19/10] Open
Open
def upload_file
if ENV['S3_BUCKET_NAME'].blank?
file = params[:file]
rel_path = 'public/temp-uploads/'
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Assignment Branch Condition size for upload_file is too high. [<7, 20, 2> 21.28/15] Open
Open
def upload_file
if ENV['S3_BUCKET_NAME'].blank?
file = params[:file]
rel_path = 'public/temp-uploads/'
- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric and https://en.wikipedia.org/wiki/ABC_Software_Metric.
Add an empty line after magic comments. Open
Open
require 'fileutils'
- Read upRead up
- Exclude checks
Checks for a newline after the final magic comment.
Example:
# good
# frozen_string_literal: true
# Some documentation for Person
class Person
# Some code
end
# bad
# frozen_string_literal: true
# Some documentation for Person
class Person
# Some code
end