Sign upLogin

Gandi/hieraviz

View on GitHub
Star

Showing 245 of 245 total issues

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (1.6.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8184

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Denial of service via header parsing in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44570

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1

Possible shell escape sequence injection vulnerability in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-30123

Criticality: Critical

URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (1.6.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8161

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

sinatra does not validate expanded path matches
Open

    sinatra (1.4.7)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-29970

Criticality: High

URL: https://github.com/sinatra/sinatra/pull/1683

Solution: upgrade to >= 2.2.0

Denial of service via multipart parsing in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44572

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (1.8.3)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Denial of Service Vulnerability in Rack Multipart Parsing
Open

    rack (1.6.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-30122

Criticality: High

URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

OS Command Injection in Rake
Open

    rake (10.5.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8130

Criticality: High

URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8

Solution: upgrade to >= 12.3.3

Denial of Service Vulnerability in Rack Content-Disposition parsing
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44571

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Sinatra vulnerable to Reflected File Download attack
Open

    sinatra (1.4.7)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-45442

Criticality: High

URL: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw

Solution: upgrade to ~> 2.2.3, >= 3.0.4

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

    better_errors (2.1.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-39197

Criticality: Medium

URL: https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm

Solution: upgrade to >= 2.8.0

httparty has multipart/form-data request tampering vulnerability
Open

    httparty (0.14.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory:

Criticality: Medium

URL: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42

Solution: upgrade to >= 0.21.0

Reallocation bug can trigger heap memory corruption
Open

    yajl-ruby (1.2.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24795

Criticality: Medium

URL: https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm

Solution: upgrade to >= 1.4.2

Flaw in yajl-ruby gem may cause a DoS
Open

    yajl-ruby (1.2.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-16516

Criticality: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-16516

Solution: upgrade to >= 1.3.1

RuboCop gem Insecure use of /tmp
Open

    rubocop (0.41.1)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-8418

Criticality: Low

URL: https://github.com/bbatsov/rubocop/issues/4336

Solution: upgrade to >= 0.49.0

Similar blocks of code found in 2 locations. Consider refactoring.
Open

    info: function(node) {
      start_wait(meat);
      fetch('/v1/' + base + '/node/' + node + '/info', auth_header()).
        then(res => res.json()).
        then(j => {
Severity: Major
Found in app/public/js/nodes.js and 1 other location - About 7 hrs to fix
app/public/js/nodes.js on lines 310..327

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 182.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

    allparams: function(node) {
      start_wait(meat);
      fetch('/v1/' + base + '/node/' + node + '/allparams', auth_header()).
        then(res => res.json()).
        then(j => {
Severity: Major
Found in app/public/js/nodes.js and 1 other location - About 7 hrs to fix
app/public/js/nodes.js on lines 291..308

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 182.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Block has too many lines. [74/25]
Open

    helpers do
      case settings.configdata['auth_method']
      when 'dummy'

        def username
Severity: Minor
Found in app/common.rb by rubocop

This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.

Assignment Branch Condition size for cross_origin is too high. [36.04/15]
Open

      def cross_origin(hash=nil)
        request_origin = request.env['HTTP_ORIGIN']
        return unless request_origin
        settings.set hash if hash
Severity: Minor
Found in lib/sinatra/cross-origin.rb by rubocop

This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric

Severity
Category
Status
Source
Language