Showing 118 of 118 total issues
Use Hash#compare_by_identity
instead of using object_id
for keys. Open
@@id_hash[obj.object_id] = obj
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Prefer using Hash#compare_by_identity
rather than using object_id
for hash keys.
This cop looks for hashes being keyed by objects' object_id
, using
one of these methods: key?
, has_key?
, fetch
, []
and []=
.
Safety:
This cop is unsafe. Although unlikely, the hash could store both object ids and other values that need be compared by value, and thus could be a false positive.
Furthermore, this cop cannot guarantee that the receiver of one of the
methods (key?
, etc.) is actually a hash.
Example:
# bad
hash = {}
hash[foo.object_id] = :bar
hash.key?(baz.object_id)
# good
hash = {}.compare_by_identity
hash[foo] = :bar
hash.key?(baz)
Use :@object
instead of "@object"
. Open
svc.instance_variable_get("@object")
- Create a ticketCreate a ticket
- Exclude checks
Use :@object
instead of "@object"
. Open
@object.evm_owner = owner && owner.instance_variable_get("@object")
- Create a ticketCreate a ticket
- Exclude checks
Prefer using YAML.safe_load
over YAML.load
. Open
data = YAML.load(data) if export_hash['output_filename'].ends_with?('.yaml')
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
NOTE: Ruby 3.1+ (Psych 4) uses Psych.load
as Psych.safe_load
by default.
Safety:
The behavior of the code might change depending on what was
in the YAML payload, since YAML.safe_load
is more restrictive.
Example:
# bad
YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default
# good
YAML.safe_load("--- !ruby/object:Foo {}", [Foo]) # Ruby 2.5 (Psych 3)
YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
YAML.dump(foo)
Remove redundant sort
. Open
Dir.glob(File.join(@options['import_dir'], domain, DOMAIN_YAML_FILENAME)).sort
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Sort globbed results by default in Ruby 3.0.
This cop checks for redundant sort
method to Dir.glob
and Dir[]
.
Safety:
This cop is unsafe, in case of having a file and a directory with
identical names, since directory will be loaded before the file, which
will break exe/files.rb
that rely on exe.rb
file.
Example:
# bad
Dir.glob('./lib/**/*.rb').sort.each do |file|
end
Dir['./lib/**/*.rb'].sort.each do |file|
end
# good
Dir.glob('./lib/**/*.rb').each do |file|
end
Dir['./lib/**/*.rb'].each do |file|
end
Duplicate branch body detected. Open
when 'vm_retire' then %w[VM Lifecycle Retirement]
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks that there are no repeated bodies
within if/unless
, case-when
, case-in
and rescue
constructs.
With IgnoreLiteralBranches: true
, branches are not registered
as offenses if they return a basic literal value (string, symbol,
integer, float, rational, complex, true
, false
, or nil
), or
return an array, hash, regexp or range that only contains one of
the above basic literal values.
With IgnoreConstantBranches: true
, branches are not registered
as offenses if they return a constant value.
Example:
# bad
if foo
do_foo
do_something_else
elsif bar
do_foo
do_something_else
end
# good
if foo || bar
do_foo
do_something_else
end
# bad
case x
when foo
do_foo
when bar
do_foo
else
do_something_else
end
# good
case x
when foo, bar
do_foo
else
do_something_else
end
# bad
begin
do_something
rescue FooError
handle_error
rescue BarError
handle_error
end
# good
begin
do_something
rescue FooError, BarError
handle_error
end
Example: IgnoreLiteralBranches: true
# good
case size
when "small" then 100
when "medium" then 250
when "large" then 1000
else 250
end
Example: IgnoreConstantBranches: true
# good
case size
when "small" then SMALL_SIZE
when "medium" then MEDIUM_SIZE
when "large" then LARGE_SIZE
else MEDIUM_SIZE
end
Use filter_map
instead. Open
states = fields(message).collect { |f| f['name'] if f['aetype'] == 'state' }.compact
- Create a ticketCreate a ticket
- Exclude checks
metadata['rubygems_mfa_required']
must be set to 'true'
. Open
Gem::Specification.new do |spec|
spec.name = "manageiq-automation_engine"
spec.version = ManageIQ::AutomationEngine::VERSION
spec.authors = ["ManageIQ Authors"]
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Requires a gemspec to have rubygems_mfa_required
metadata set.
This setting tells RubyGems that MFA (Multi-Factor Authentication) is required for accounts to be able perform privileged operations, such as (see RubyGems' documentation for the full list of privileged operations):
gem push
gem yank
gem owner --add/remove
- adding or removing owners using gem ownership page
This helps make your gem more secure, as users can be more confident that gem updates were pushed by maintainers.
Example:
# bad
Gem::Specification.new do |spec|
# no `rubygems_mfa_required` metadata specified
end
# good
Gem::Specification.new do |spec|
spec.metadata = {
'rubygems_mfa_required' => 'true'
}
end
# good
Gem::Specification.new do |spec|
spec.metadata['rubygems_mfa_required'] = 'true'
end
# bad
Gem::Specification.new do |spec|
spec.metadata = {
'rubygems_mfa_required' => 'false'
}
end
# good
Gem::Specification.new do |spec|
spec.metadata = {
'rubygems_mfa_required' => 'true'
}
end
# bad
Gem::Specification.new do |spec|
spec.metadata['rubygems_mfa_required'] = 'false'
end
# good
Gem::Specification.new do |spec|
spec.metadata['rubygems_mfa_required'] = 'true'
end
Use filter_map
instead. Open
@src_instance.ae_values.collect do |v|
attrs = v.attributes.delete_if { |k, _| DELETE_PROPERTIES.include?(k) }
field_id = get_new_field_id(v.field_id)
next if field_id.nil?
- Create a ticketCreate a ticket
- Exclude checks
Use filter_map
instead. Open
objects_str.split("\x1F").collect do |element|
if element.include?(CLASS_SEPARATOR)
klass, str_value = element.split(CLASS_SEPARATOR)
MiqAeObject.convert_value_based_on_datatype(str_value.strip, klass.strip)
else
- Create a ticketCreate a ticket
- Exclude checks
Use filter_map
instead. Open
matches = arclass.where("lower(name) = ?", name.downcase).collect do |obj|
get_domain_index_object(domains, obj, klass, namespace, enabled, options)
end.compact
- Create a ticketCreate a ticket
- Exclude checks
Do not suppress exceptions. Open
rescue LoadError
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for rescue
blocks with no body.
Example:
# bad
def some_method
do_something
rescue
end
# bad
begin
do_something
rescue
end
# good
def some_method
do_something
rescue
handle_exception
end
# good
begin
do_something
rescue
handle_exception
end
Example: AllowComments: true (default)
# good
def some_method
do_something
rescue
# do nothing
end
# good
begin
do_something
rescue
# do nothing
end
Example: AllowComments: false
# bad
def some_method
do_something
rescue
# do nothing
end
# bad
begin
do_something
rescue
# do nothing
end
Example: AllowNil: true (default)
# good
def some_method
do_something
rescue
nil
end
# good
begin
do_something
rescue
# do nothing
end
# good
do_something rescue nil
Example: AllowNil: false
# bad
def some_method
do_something
rescue
nil
end
# bad
begin
do_something
rescue
nil
end
# bad
do_something rescue nil
Remove redundant sort
. Open
Dir.glob(File.join(File.join(class_folder, METHOD_FOLDER_NAME), '*.yaml')).sort
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Sort globbed results by default in Ruby 3.0.
This cop checks for redundant sort
method to Dir.glob
and Dir[]
.
Safety:
This cop is unsafe, in case of having a file and a directory with
identical names, since directory will be loaded before the file, which
will break exe/files.rb
that rely on exe.rb
file.
Example:
# bad
Dir.glob('./lib/**/*.rb').sort.each do |file|
end
Dir['./lib/**/*.rb'].sort.each do |file|
end
# good
Dir.glob('./lib/**/*.rb').each do |file|
end
Dir['./lib/**/*.rb'].each do |file|
end
Use filter_map
instead. Open
states = fields(message).collect { |f| f['name'] if f['aetype'] == 'state' }.compact
- Create a ticketCreate a ticket
- Exclude checks
Use filter_map
instead. Open
@fields_ordered.collect do |fname|
@fields[fname] if message.nil? || self.class.message_matches?(message_parse(@fields[fname]['message']), message)
end.compact
- Create a ticketCreate a ticket
- Exclude checks
Use collect { |x| x.name.upcase }
instead of collect
method chain. Open
domains = @workspace.ae_user.current_tenant.ae_domains.collect(&:name).map(&:upcase)
- Create a ticketCreate a ticket
- Exclude checks
Use :@object
instead of '@object'
. Open
svc_obj.instance_variable_get('@object')
- Create a ticketCreate a ticket
- Exclude checks
Prefer using YAML.safe_load
over YAML.load
. Open
hash = YAML.load(data)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
NOTE: Ruby 3.1+ (Psych 4) uses Psych.load
as Psych.safe_load
by default.
Safety:
The behavior of the code might change depending on what was
in the YAML payload, since YAML.safe_load
is more restrictive.
Example:
# bad
YAML.load("--- !ruby/object:Foo {}") # Psych 3 is unsafe by default
# good
YAML.safe_load("--- !ruby/object:Foo {}", [Foo]) # Ruby 2.5 (Psych 3)
YAML.safe_load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.0- (Psych 3)
YAML.load("--- !ruby/object:Foo {}", permitted_classes: [Foo]) # Ruby 3.1+ (Psych 4)
YAML.dump(foo)
Use collect { |x| x.name.upcase }
instead of collect
method chain. Open
domains = @workspace.ae_user.current_tenant.visible_domains.collect(&:name).map(&:upcase)
- Create a ticketCreate a ticket
- Exclude checks
Use :@data
instead of "@data"
. Open
instance_variable_set("@data", contents)
- Create a ticketCreate a ticket
- Exclude checks