Sign upLogin

GeekPark/gpk_account

View on GitHub
Star
app/controllers/sessions_controller.rb

Summary

Maintainability
A
55 mins
Test Coverage

Possible unprotected redirect
Open

      return (redirect_to uri) if sanitary_uri?(uri)
Severity: Critical
Found in app/controllers/sessions_controller.rb by brakeman

Unvalidated redirects and forwards are #10 on the OWASP Top Ten.

Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.

Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.

For example,

redirect_to params.merge(:action => :home)

will create a warning like

Possible unprotected redirect near line 46: redirect_to(params)

This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.

If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.

redirect_to params.merge(:only_path => true)

redirect_to params.merge(:host => 'myhost.com')

If the first argument is a string, then it is possible to parse the string and extract the path:

redirect_to URI.parse(some_url).path

If the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.

Assignment Branch Condition size for create is too high. [23.85/20] (http://c2.com/cgi/wiki?AbcMetric)
Open

  def create
    if auth_params && current_user
      bind_auth
    elsif request.env['omniauth.redirect'].present?
      uri = request.env['omniauth.redirect']
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric

Cyclomatic complexity for create is too high. [7/6]
Open

  def create
    if auth_params && current_user
      bind_auth
    elsif request.env['omniauth.redirect'].present?
      uri = request.env['omniauth.redirect']
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.

An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one.

Method create has a Cognitive Complexity of 9 (exceeds 5 allowed). Consider refactoring.
Open

  def create
    if auth_params && current_user
      bind_auth
    elsif request.env['omniauth.redirect'].present?
      uri = request.env['omniauth.redirect']
Severity: Minor
Found in app/controllers/sessions_controller.rb - About 55 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Align the parameters of a method call if they span more than one line. (https://github.com/bbatsov/ruby-style-guide#no-double-indent)
Open

        provider: t("authorizations.providers.#{auth.provider}"))
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

Here we check if the parameters on a multi-line method call or definition are aligned.

Example: EnforcedStyle: withfirstparameter (default)

# good

foo :bar,
    :baz

# bad

foo :bar,
  :baz

Example: EnforcedStyle: withfixedindentation

# good

foo :bar,
  :baz

# bad

foo :bar,
    :baz

Use %i or %I for an array of symbols. (https://github.com/bbatsov/ruby-style-guide#percent-i)
Open

  skip_before_action :verify_authenticity_token, only: [:create, :destroy]
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

This cop can check for array literals made up of symbols that are not using the %i() syntax.

Alternatively, it checks for symbol arrays using the %i() syntax on projects which do not want to use that syntax.

Configuration option: MinSize If set, arrays with fewer elements than this value will not trigger the cop. For example, a MinSize of3` will not enforce a style on an array of 2 or fewer elements.

Example: EnforcedStyle: percent (default)

# good
%i[foo bar baz]

# bad
[:foo, :bar, :baz]

Example: EnforcedStyle: brackets

# good
[:foo, :bar, :baz]

# bad
%i[foo bar baz]

Align the parameters of a method call if they span more than one line. (https://github.com/bbatsov/ruby-style-guide#no-double-indent)
Open

        provider: t("authorizations.providers.#{auth.provider}"))
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

Here we check if the parameters on a multi-line method call or definition are aligned.

Example: EnforcedStyle: withfirstparameter (default)

# good

foo :bar,
    :baz

# bad

foo :bar,
  :baz

Example: EnforcedStyle: withfixedindentation

# good

foo :bar,
  :baz

# bad

foo :bar,
    :baz

(...) interpreted as grouped expression. (https://github.com/bbatsov/ruby-style-guide#parens-no-spaces)
Open

      redirect_to (redirect_url || callback_url)
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

Checks for space between the name of a called method and a left parenthesis.

Example:

# bad

puts (x + y)

Example:

# good

puts(x + y)

Use a guard clause instead of wrapping the code inside a conditional expression. (https://github.com/bbatsov/ruby-style-guide#no-nested-conditionals)
Open

    if login_name.present?
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

Use a guard clause instead of wrapping the code inside a conditional expression

Example:

# bad
def test
  if something
    work
  end
end

# good
def test
  return unless something
  work
end

# also good
def test
  work if something
end

# bad
if something
  raise 'exception'
else
  ok
end

# good
raise 'exception' if something
ok

%w-literals should be delimited by [ and ]. (https://github.com/bbatsov/ruby-style-guide#percent-literal-braces)
Open

    URI.parse(uri).scheme.in?(%w(http https))
Severity: Minor
Found in app/controllers/sessions_controller.rb by rubocop

This cop enforces the consistent usage of %-literal delimiters.

Specify the 'default' key to set all preferred delimiters at once. You can continue to specify individual preferred delimiters to override the default.

Example:

# Style/PercentLiteralDelimiters:
#   PreferredDelimiters:
#     default: '[]'
#     '%i':    '()'

# good
%w[alpha beta] + %i(gamma delta)

# bad
%W(alpha #{beta})

# bad
%I(alpha beta)

There are no issues that match your filters.

Category
Status