Sign upLogin

MidnightRiders/MemberPortal

View on GitHub
Star
app/controllers/downloads_controller.rb

Summary

Maintainability
A
0 mins
Test Coverage

Parameter value used in file name
Open

      File.open filename, 'rb' do |f|
Severity: Minor
Found in app/controllers/downloads_controller.rb by brakeman

Using user input when accessing files (local or remote) will raise a warning in Brakeman.

For example

File.open("/tmp/#{cookie[:file]}")

will raise an error like

Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")

This type of vulnerability can be used to access arbitrary files on a server (including /etc/passwd.

Assignment Branch Condition size for show is too high. [<2, 17, 2> 17.23/17] (http://c2.com/cgi/wiki?AbcMetric, https://en.wikipedia.org/wiki/ABC_Software_Metric)
Open

  def show
    authorize! :show, :download
    filename = Rails.root.join('private', params[:filename] + '.' + params[:format])
    if File.file? filename
      File.open filename, 'rb' do |f|
Severity: Minor
Found in app/controllers/downloads_controller.rb by rubocop

Checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric and https://en.wikipedia.org/wiki/ABC_Software_Metric.

Interpreting ABC size:

  • <= 17 satisfactory
  • 18..30 unsatisfactory
  • > 30 dangerous

You can have repeated "attributes" calls count as a single "branch". For this purpose, attributes are any method with no argument; no attempt is meant to distinguish actual attr_reader from other methods.

Example: CountRepeatedAttributes: false (default is true)

# `model` and `current_user`, referenced 3 times each,
 # are each counted as only 1 branch each if
 # `CountRepeatedAttributes` is set to 'false'

 def search
   @posts = model.active.visible_by(current_user)
             .search(params[:q])
   @posts = model.some_process(@posts, current_user)
   @posts = model.another_process(@posts, current_user)

   render 'pages/search/page'
 end

This cop also takes into account AllowedMethods (defaults to []) And AllowedPatterns (defaults to [])

Prefer string interpolation to string concatenation. (https://rubystyle.guide#string-interpolation)
Open

    filename = Rails.root.join('private', params[:filename] + '.' + params[:format])
Severity: Minor
Found in app/controllers/downloads_controller.rb by rubocop

Checks for places where string concatenation can be replaced with string interpolation.

The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.

NOTE: When concatenation between two strings is broken over multiple lines, this cop does not register an offense; instead, Style/LineEndConcatenation will pick up the offense if enabled.

Two modes are supported: 1. aggressive style checks and corrects all occurrences of + where either the left or right side of + is a string literal. 2. conservative style on the other hand, checks and corrects only if left side (receiver of + method call) is a string literal. This is useful when the receiver is some expression that returns string like Pathname instead of a string literal.

Safety:

This cop is unsafe in aggressive mode, as it cannot be guaranteed that the receiver is actually a string, which can result in a false positive.

Example: Mode: aggressive (default)

# bad
email_with_name = user.name + ' <' + user.email + '>'
Pathname.new('/') + 'test'

# good
email_with_name = "#{user.name} <#{user.email}>"
email_with_name = format('%s <%s>', user.name, user.email)
"#{Pathname.new('/')}test"

# accepted, line-end concatenation
name = 'First' +
  'Last'

Example: Mode: conservative

# bad
'Hello' + user.name

# good
"Hello #{user.name}"
user.name + '!!'
Pathname.new('/') + 'test'

Prefer string interpolation to string concatenation. (https://rubystyle.guide#string-interpolation)
Open

      redirect_to root_path, alert: 'No such file exists: ' + filename.to_s
Severity: Minor
Found in app/controllers/downloads_controller.rb by rubocop

Checks for places where string concatenation can be replaced with string interpolation.

The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.

NOTE: When concatenation between two strings is broken over multiple lines, this cop does not register an offense; instead, Style/LineEndConcatenation will pick up the offense if enabled.

Two modes are supported: 1. aggressive style checks and corrects all occurrences of + where either the left or right side of + is a string literal. 2. conservative style on the other hand, checks and corrects only if left side (receiver of + method call) is a string literal. This is useful when the receiver is some expression that returns string like Pathname instead of a string literal.

Safety:

This cop is unsafe in aggressive mode, as it cannot be guaranteed that the receiver is actually a string, which can result in a false positive.

Example: Mode: aggressive (default)

# bad
email_with_name = user.name + ' <' + user.email + '>'
Pathname.new('/') + 'test'

# good
email_with_name = "#{user.name} <#{user.email}>"
email_with_name = format('%s <%s>', user.name, user.email)
"#{Pathname.new('/')}test"

# accepted, line-end concatenation
name = 'First' +
  'Last'

Example: Mode: conservative

# bad
'Hello' + user.name

# good
"Hello #{user.name}"
user.name + '!!'
Pathname.new('/') + 'test'

There are no issues that match your filters.

Category
Status