Parameter value used in file name Open
File.open filename, 'rb' do |f|
- Read upRead up
- Exclude checks
Using user input when accessing files (local or remote) will raise a warning in Brakeman.
For example
File.open("/tmp/#{cookie[:file]}")
will raise an error like
Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")
This type of vulnerability can be used to access arbitrary files on a server (including /etc/passwd
.
Assignment Branch Condition size for show is too high. [<2, 17, 2> 17.23/17] (http://c2.com/cgi/wiki?AbcMetric, https://en.wikipedia.org/wiki/ABC_Software_Metric) Open
def show
authorize! :show, :download
filename = Rails.root.join('private', params[:filename] + '.' + params[:format])
if File.file? filename
File.open filename, 'rb' do |f|
- Read upRead up
- Exclude checks
Checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric and https://en.wikipedia.org/wiki/ABC_Software_Metric.
Interpreting ABC size:
- <= 17 satisfactory
- 18..30 unsatisfactory
- > 30 dangerous
You can have repeated "attributes" calls count as a single "branch".
For this purpose, attributes are any method with no argument; no attempt
is meant to distinguish actual attr_reader
from other methods.
Example: CountRepeatedAttributes: false (default is true)
# `model` and `current_user`, referenced 3 times each,
# are each counted as only 1 branch each if
# `CountRepeatedAttributes` is set to 'false'
def search
@posts = model.active.visible_by(current_user)
.search(params[:q])
@posts = model.some_process(@posts, current_user)
@posts = model.another_process(@posts, current_user)
render 'pages/search/page'
end
This cop also takes into account AllowedMethods
(defaults to []
)
And AllowedPatterns
(defaults to []
)
Prefer string interpolation to string concatenation. (https://rubystyle.guide#string-interpolation) Open
filename = Rails.root.join('private', params[:filename] + '.' + params[:format])
- Read upRead up
- Exclude checks
Checks for places where string concatenation can be replaced with string interpolation.
The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.
NOTE: When concatenation between two strings is broken over multiple
lines, this cop does not register an offense; instead,
Style/LineEndConcatenation
will pick up the offense if enabled.
Two modes are supported:
1. aggressive
style checks and corrects all occurrences of +
where
either the left or right side of +
is a string literal.
2. conservative
style on the other hand, checks and corrects only if
left side (receiver of +
method call) is a string literal.
This is useful when the receiver is some expression that returns string like Pathname
instead of a string literal.
Safety:
This cop is unsafe in aggressive
mode, as it cannot be guaranteed that
the receiver is actually a string, which can result in a false positive.
Example: Mode: aggressive (default)
# bad
email_with_name = user.name + ' <' + user.email + '>'
Pathname.new('/') + 'test'
# good
email_with_name = "#{user.name} <#{user.email}>"
email_with_name = format('%s <%s>', user.name, user.email)
"#{Pathname.new('/')}test"
# accepted, line-end concatenation
name = 'First' +
'Last'
Example: Mode: conservative
# bad
'Hello' + user.name
# good
"Hello #{user.name}"
user.name + '!!'
Pathname.new('/') + 'test'
Prefer string interpolation to string concatenation. (https://rubystyle.guide#string-interpolation) Open
redirect_to root_path, alert: 'No such file exists: ' + filename.to_s
- Read upRead up
- Exclude checks
Checks for places where string concatenation can be replaced with string interpolation.
The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.
NOTE: When concatenation between two strings is broken over multiple
lines, this cop does not register an offense; instead,
Style/LineEndConcatenation
will pick up the offense if enabled.
Two modes are supported:
1. aggressive
style checks and corrects all occurrences of +
where
either the left or right side of +
is a string literal.
2. conservative
style on the other hand, checks and corrects only if
left side (receiver of +
method call) is a string literal.
This is useful when the receiver is some expression that returns string like Pathname
instead of a string literal.
Safety:
This cop is unsafe in aggressive
mode, as it cannot be guaranteed that
the receiver is actually a string, which can result in a false positive.
Example: Mode: aggressive (default)
# bad
email_with_name = user.name + ' <' + user.email + '>'
Pathname.new('/') + 'test'
# good
email_with_name = "#{user.name} <#{user.email}>"
email_with_name = format('%s <%s>', user.name, user.email)
"#{Pathname.new('/')}test"
# accepted, line-end concatenation
name = 'First' +
'Last'
Example: Mode: conservative
# bad
'Hello' + user.name
# good
"Hello #{user.name}"
user.name + '!!'
Pathname.new('/') + 'test'