Possible unprotected redirect Open
return (redirect_to uri) if sanitary_uri?(uri)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Unvalidated redirects and forwards are #10 on the OWASP Top Ten.
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever redirect_to
appears to be used with a user-supplied value that may allow them to change the :host
option.
For example,
redirect_to params.merge(:action => :home)
will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)
This is because params
could contain :host => 'evilsite.com'
which would redirect away from your site and to a malicious site.
If the first argument to redirect_to
is a hash, then adding :only_path => true
will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')
If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).path
If the URL does not contain a protocol (e.g., http://
), then you will probably get unexpected results, as redirect_to
will prepend the current host name and a protocol.
Assignment Branch Condition size for create is too high. [23.85/20] (http://c2.com/cgi/wiki?AbcMetric) Open
def create
if auth_params && current_user
bind_auth
elsif request.env['omniauth.redirect'].present?
uri = request.env['omniauth.redirect']
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Cyclomatic complexity for create is too high. [7/6] Open
def create
if auth_params && current_user
bind_auth
elsif request.env['omniauth.redirect'].present?
uri = request.env['omniauth.redirect']
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.
An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one.
Method create
has a Cognitive Complexity of 9 (exceeds 5 allowed). Consider refactoring. Open
def create
if auth_params && current_user
bind_auth
elsif request.env['omniauth.redirect'].present?
uri = request.env['omniauth.redirect']
- Read upRead up
- Create a ticketCreate a ticket
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Align the parameters of a method call if they span more than one line. (https://github.com/bbatsov/ruby-style-guide#no-double-indent) Open
provider: t("authorizations.providers.#{auth.provider}"))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Here we check if the parameters on a multi-line method call or definition are aligned.
Example: EnforcedStyle: withfirstparameter (default)
# good
foo :bar,
:baz
# bad
foo :bar,
:baz
Example: EnforcedStyle: withfixedindentation
# good
foo :bar,
:baz
# bad
foo :bar,
:baz
Use %i
or %I
for an array of symbols. (https://github.com/bbatsov/ruby-style-guide#percent-i) Open
skip_before_action :verify_authenticity_token, only: [:create, :destroy]
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop can check for array literals made up of symbols that are not using the %i() syntax.
Alternatively, it checks for symbol arrays using the %i() syntax on projects which do not want to use that syntax.
Configuration option: MinSize
If set, arrays with fewer elements than this value will not trigger the
cop. For example, a MinSize of
3` will not enforce a style on an array
of 2 or fewer elements.
Example: EnforcedStyle: percent (default)
# good
%i[foo bar baz]
# bad
[:foo, :bar, :baz]
Example: EnforcedStyle: brackets
# good
[:foo, :bar, :baz]
# bad
%i[foo bar baz]
Align the parameters of a method call if they span more than one line. (https://github.com/bbatsov/ruby-style-guide#no-double-indent) Open
provider: t("authorizations.providers.#{auth.provider}"))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Here we check if the parameters on a multi-line method call or definition are aligned.
Example: EnforcedStyle: withfirstparameter (default)
# good
foo :bar,
:baz
# bad
foo :bar,
:baz
Example: EnforcedStyle: withfixedindentation
# good
foo :bar,
:baz
# bad
foo :bar,
:baz
(...)
interpreted as grouped expression. (https://github.com/bbatsov/ruby-style-guide#parens-no-spaces) Open
redirect_to (redirect_url || callback_url)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for space between the name of a called method and a left parenthesis.
Example:
# bad
puts (x + y)
Example:
# good
puts(x + y)
Use a guard clause instead of wrapping the code inside a conditional expression. (https://github.com/bbatsov/ruby-style-guide#no-nested-conditionals) Open
if login_name.present?
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Use a guard clause instead of wrapping the code inside a conditional expression
Example:
# bad
def test
if something
work
end
end
# good
def test
return unless something
work
end
# also good
def test
work if something
end
# bad
if something
raise 'exception'
else
ok
end
# good
raise 'exception' if something
ok
%w
-literals should be delimited by [
and ]
. (https://github.com/bbatsov/ruby-style-guide#percent-literal-braces) Open
URI.parse(uri).scheme.in?(%w(http https))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop enforces the consistent usage of %
-literal delimiters.
Specify the 'default' key to set all preferred delimiters at once. You can continue to specify individual preferred delimiters to override the default.
Example:
# Style/PercentLiteralDelimiters:
# PreferredDelimiters:
# default: '[]'
# '%i': '()'
# good
%w[alpha beta] + %i(gamma delta)
# bad
%W(alpha #{beta})
# bad
%I(alpha beta)