Unprotected mass assignment Open
@player = Player.new(player_params)
- Read upRead up
- Exclude checks
Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
Example:
User.new(params[:user])
Unfortunately, if there is a user field called admin
which controls administrator access, now any user can make themselves an administrator.
attr_accessible
and attr_protected
can be used to limit mass assignment. However, Brakeman will warn unless attr_accessible
is used, or mass assignment is completely disabled.
There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs, such as the example above. This results in a warning like
Unprotected mass assignment near line 61: User.new(params[:user])
The other warning is raised whenever a model is found which does not use attr_accessible
. This produces generic warnings like
Mass assignment is not restricted using attr_accessible
with a list of affected models.
In Rails 3.1 and newer, mass assignment can easily be disabled:
config.active_record.whitelist_attributes = true
Unfortunately, it can also easily be bypassed:
User.new(params[:user], :without_protection => true)
Brakeman will warn on uses of without_protection
.
Method has too many lines. [12/10] (https://rubystyle.guide#short-methods) Open
def update
respond_to do |format|
if @player.update(player_params)
format.html { redirect_to @player, notice: 'Player was successfully updated.' }
format.json {
- Read upRead up
- Exclude checks
Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.
You can set literals you want to fold with CountAsOne
.
Available are: 'array', 'hash', and 'heredoc'. Each literal
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods
and IgnoredMethods
configuration is
deprecated and only kept for backwards compatibility.
Please use AllowedMethods
and AllowedPatterns
instead.
By default, there are no methods to allowed.
Example: CountAsOne: ['array', 'heredoc']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
end # 5 points
Move locale texts to the locale files in the config/locales
directory. (https://rails.rubystyle.guide/#locale-texts) Open
format.html { redirect_to @player, notice: 'Player was successfully updated.' }
- Exclude checks
Move locale texts to the locale files in the config/locales
directory. (https://rails.rubystyle.guide/#locale-texts) Open
format.html { redirect_to @player, notice: 'Player was successfully created.' }
- Exclude checks
Similar blocks of code found in 3 locations. Consider refactoring. Open
def create
@player = Player.new(player_params)
respond_to do |format|
if @player.save
- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 50.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication
's documentation for more information about tuning the mass threshold in your .codeclimate.yml
.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Put empty method definitions on a single line. (https://rubystyle.guide#no-single-line-methods) Open
def edit
end
- Read upRead up
- Exclude checks
Checks for the formatting of empty method definitions.
By default it enforces empty method definitions to go on a single
line (compact style), but it can be configured to enforce the end
to go on its own line (expanded style).
NOTE: A method definition is not considered empty if it contains comments.
NOTE: Autocorrection will not be applied for the compact
style
if the resulting code is longer than the Max
configuration for
Layout/LineLength
, but an offense will still be registered.
Example: EnforcedStyle: compact (default)
# bad
def foo(bar)
end
def self.foo(bar)
end
# good
def foo(bar); end
def foo(bar)
# baz
end
def self.foo(bar); end
Example: EnforcedStyle: expanded
# bad
def foo(bar); end
def self.foo(bar); end
# good
def foo(bar)
end
def self.foo(bar)
end
Prefer do...end
over {...}
for procedural blocks. (https://rubystyle.guide#single-line-blocks) Open
format.html { redirect_to @player, notice: 'Player was successfully created.' }
- Read upRead up
- Exclude checks
Check for uses of braces or do/end around single line or multi-line blocks.
Methods that can be either procedural or functional and cannot be
categorised from their usage alone is ignored.
lambda
, proc
, and it
are their defaults.
Additional methods can be added to the AllowedMethods
.
Example: EnforcedStyle: linecountbased (default)
# bad - single line block
items.each do |item| item / 5 end
# good - single line block
items.each { |item| item / 5 }
# bad - multi-line block
things.map { |thing|
something = thing.some_method
process(something)
}
# good - multi-line block
things.map do |thing|
something = thing.some_method
process(something)
end
Example: EnforcedStyle: semantic
# Prefer `do...end` over `{...}` for procedural blocks.
# return value is used/assigned
# bad
foo = map do |x|
x
end
puts (map do |x|
x
end)
# return value is not used out of scope
# good
map do |x|
x
end
# Prefer `{...}` over `do...end` for functional blocks.
# return value is not used out of scope
# bad
each { |x|
x
}
# return value is used/assigned
# good
foo = map { |x|
x
}
map { |x|
x
}.inspect
# The AllowBracesOnProceduralOneLiners option is allowed unless the
# EnforcedStyle is set to `semantic`. If so:
# If the AllowBracesOnProceduralOneLiners option is unspecified, or
# set to `false` or any other falsey value, then semantic purity is
# maintained, so one-line procedural blocks must use do-end, not
# braces.
# bad
collection.each { |element| puts element }
# good
collection.each do |element| puts element end
# If the AllowBracesOnProceduralOneLiners option is set to `true`, or
# any other truthy value, then one-line procedural blocks may use
# either style. (There is no setting for requiring braces on them.)
# good
collection.each { |element| puts element }
# also good
collection.each do |element| puts element end
Example: EnforcedStyle: bracesforchaining
# bad
words.each do |word|
word.flip.flop
end.join("-")
# good
words.each { |word|
word.flip.flop
}.join("-")
Example: EnforcedStyle: always_braces
# bad
words.each do |word|
word.flip.flop
end
# good
words.each { |word|
word.flip.flop
}
Example: BracesRequiredMethods: ['sig']
# Methods listed in the BracesRequiredMethods list, such as 'sig'
# in this example, will require `{...}` braces. This option takes
# precedence over all other configurations except AllowedMethods.
# bad
sig do
params(
foo: string,
).void
end
def bar(foo)
puts foo
end
# good
sig {
params(
foo: string,
).void
}
def bar(foo)
puts foo
end
Example: AllowedMethods: ['lambda', 'proc', 'it' ] (default)
# good
foo = lambda do |x|
puts "Hello, #{x}"
end
foo = lambda do |x|
x * 100
end
Example: AllowedPatterns: [] (default)
# bad
things.map { |thing|
something = thing.some_method
process(something)
}
Example: AllowedPatterns: ['map']
# good
things.map { |thing|
something = thing.some_method
process(something)
}
Prefer do...end
over {...}
for procedural blocks. (https://rubystyle.guide#single-line-blocks) Open
format.html { render action: 'new' }
- Read upRead up
- Exclude checks
Check for uses of braces or do/end around single line or multi-line blocks.
Methods that can be either procedural or functional and cannot be
categorised from their usage alone is ignored.
lambda
, proc
, and it
are their defaults.
Additional methods can be added to the AllowedMethods
.
Example: EnforcedStyle: linecountbased (default)
# bad - single line block
items.each do |item| item / 5 end
# good - single line block
items.each { |item| item / 5 }
# bad - multi-line block
things.map { |thing|
something = thing.some_method
process(something)
}
# good - multi-line block
things.map do |thing|
something = thing.some_method
process(something)
end
Example: EnforcedStyle: semantic
# Prefer `do...end` over `{...}` for procedural blocks.
# return value is used/assigned
# bad
foo = map do |x|
x
end
puts (map do |x|
x
end)
# return value is not used out of scope
# good
map do |x|
x
end
# Prefer `{...}` over `do...end` for functional blocks.
# return value is not used out of scope
# bad
each { |x|
x
}
# return value is used/assigned
# good
foo = map { |x|
x
}
map { |x|
x
}.inspect
# The AllowBracesOnProceduralOneLiners option is allowed unless the
# EnforcedStyle is set to `semantic`. If so:
# If the AllowBracesOnProceduralOneLiners option is unspecified, or
# set to `false` or any other falsey value, then semantic purity is
# maintained, so one-line procedural blocks must use do-end, not
# braces.
# bad
collection.each { |element| puts element }
# good
collection.each do |element| puts element end
# If the AllowBracesOnProceduralOneLiners option is set to `true`, or
# any other truthy value, then one-line procedural blocks may use
# either style. (There is no setting for requiring braces on them.)
# good
collection.each { |element| puts element }
# also good
collection.each do |element| puts element end
Example: EnforcedStyle: bracesforchaining
# bad
words.each do |word|
word.flip.flop
end.join("-")
# good
words.each { |word|
word.flip.flop
}.join("-")
Example: EnforcedStyle: always_braces
# bad
words.each do |word|
word.flip.flop
end
# good
words.each { |word|
word.flip.flop
}
Example: BracesRequiredMethods: ['sig']
# Methods listed in the BracesRequiredMethods list, such as 'sig'
# in this example, will require `{...}` braces. This option takes
# precedence over all other configurations except AllowedMethods.
# bad
sig do
params(
foo: string,
).void
end
def bar(foo)
puts foo
end
# good
sig {
params(
foo: string,
).void
}
def bar(foo)
puts foo
end
Example: AllowedMethods: ['lambda', 'proc', 'it' ] (default)
# good
foo = lambda do |x|
puts "Hello, #{x}"
end
foo = lambda do |x|
x * 100
end
Example: AllowedPatterns: [] (default)
# bad
things.map { |thing|
something = thing.some_method
process(something)
}
Example: AllowedPatterns: ['map']
# good
things.map { |thing|
something = thing.some_method
process(something)
}
Prefer do...end
over {...}
for procedural blocks. (https://rubystyle.guide#single-line-blocks) Open
format.html { render action: 'edit' }
- Read upRead up
- Exclude checks
Check for uses of braces or do/end around single line or multi-line blocks.
Methods that can be either procedural or functional and cannot be
categorised from their usage alone is ignored.
lambda
, proc
, and it
are their defaults.
Additional methods can be added to the AllowedMethods
.
Example: EnforcedStyle: linecountbased (default)
# bad - single line block
items.each do |item| item / 5 end
# good - single line block
items.each { |item| item / 5 }
# bad - multi-line block
things.map { |thing|
something = thing.some_method
process(something)
}
# good - multi-line block
things.map do |thing|
something = thing.some_method
process(something)
end
Example: EnforcedStyle: semantic
# Prefer `do...end` over `{...}` for procedural blocks.
# return value is used/assigned
# bad
foo = map do |x|
x
end
puts (map do |x|
x
end)
# return value is not used out of scope
# good
map do |x|
x
end
# Prefer `{...}` over `do...end` for functional blocks.
# return value is not used out of scope
# bad
each { |x|
x
}
# return value is used/assigned
# good
foo = map { |x|
x
}
map { |x|
x
}.inspect
# The AllowBracesOnProceduralOneLiners option is allowed unless the
# EnforcedStyle is set to `semantic`. If so:
# If the AllowBracesOnProceduralOneLiners option is unspecified, or
# set to `false` or any other falsey value, then semantic purity is
# maintained, so one-line procedural blocks must use do-end, not
# braces.
# bad
collection.each { |element| puts element }
# good
collection.each do |element| puts element end
# If the AllowBracesOnProceduralOneLiners option is set to `true`, or
# any other truthy value, then one-line procedural blocks may use
# either style. (There is no setting for requiring braces on them.)
# good
collection.each { |element| puts element }
# also good
collection.each do |element| puts element end
Example: EnforcedStyle: bracesforchaining
# bad
words.each do |word|
word.flip.flop
end.join("-")
# good
words.each { |word|
word.flip.flop
}.join("-")
Example: EnforcedStyle: always_braces
# bad
words.each do |word|
word.flip.flop
end
# good
words.each { |word|
word.flip.flop
}
Example: BracesRequiredMethods: ['sig']
# Methods listed in the BracesRequiredMethods list, such as 'sig'
# in this example, will require `{...}` braces. This option takes
# precedence over all other configurations except AllowedMethods.
# bad
sig do
params(
foo: string,
).void
end
def bar(foo)
puts foo
end
# good
sig {
params(
foo: string,
).void
}
def bar(foo)
puts foo
end
Example: AllowedMethods: ['lambda', 'proc', 'it' ] (default)
# good
foo = lambda do |x|
puts "Hello, #{x}"
end
foo = lambda do |x|
x * 100
end
Example: AllowedPatterns: [] (default)
# bad
things.map { |thing|
something = thing.some_method
process(something)
}
Example: AllowedPatterns: ['map']
# good
things.map { |thing|
something = thing.some_method
process(something)
}
Put empty method definitions on a single line. (https://rubystyle.guide#no-single-line-methods) Open
def show
end
- Read upRead up
- Exclude checks
Checks for the formatting of empty method definitions.
By default it enforces empty method definitions to go on a single
line (compact style), but it can be configured to enforce the end
to go on its own line (expanded style).
NOTE: A method definition is not considered empty if it contains comments.
NOTE: Autocorrection will not be applied for the compact
style
if the resulting code is longer than the Max
configuration for
Layout/LineLength
, but an offense will still be registered.
Example: EnforcedStyle: compact (default)
# bad
def foo(bar)
end
def self.foo(bar)
end
# good
def foo(bar); end
def foo(bar)
# baz
end
def self.foo(bar); end
Example: EnforcedStyle: expanded
# bad
def foo(bar); end
def self.foo(bar); end
# good
def foo(bar)
end
def self.foo(bar)
end
Prefer do...end
over {...}
for procedural blocks. (https://rubystyle.guide#single-line-blocks) Open
format.html { redirect_to players_url }
- Read upRead up
- Exclude checks
Check for uses of braces or do/end around single line or multi-line blocks.
Methods that can be either procedural or functional and cannot be
categorised from their usage alone is ignored.
lambda
, proc
, and it
are their defaults.
Additional methods can be added to the AllowedMethods
.
Example: EnforcedStyle: linecountbased (default)
# bad - single line block
items.each do |item| item / 5 end
# good - single line block
items.each { |item| item / 5 }
# bad - multi-line block
things.map { |thing|
something = thing.some_method
process(something)
}
# good - multi-line block
things.map do |thing|
something = thing.some_method
process(something)
end
Example: EnforcedStyle: semantic
# Prefer `do...end` over `{...}` for procedural blocks.
# return value is used/assigned
# bad
foo = map do |x|
x
end
puts (map do |x|
x
end)
# return value is not used out of scope
# good
map do |x|
x
end
# Prefer `{...}` over `do...end` for functional blocks.
# return value is not used out of scope
# bad
each { |x|
x
}
# return value is used/assigned
# good
foo = map { |x|
x
}
map { |x|
x
}.inspect
# The AllowBracesOnProceduralOneLiners option is allowed unless the
# EnforcedStyle is set to `semantic`. If so:
# If the AllowBracesOnProceduralOneLiners option is unspecified, or
# set to `false` or any other falsey value, then semantic purity is
# maintained, so one-line procedural blocks must use do-end, not
# braces.
# bad
collection.each { |element| puts element }
# good
collection.each do |element| puts element end
# If the AllowBracesOnProceduralOneLiners option is set to `true`, or
# any other truthy value, then one-line procedural blocks may use
# either style. (There is no setting for requiring braces on them.)
# good
collection.each { |element| puts element }
# also good
collection.each do |element| puts element end
Example: EnforcedStyle: bracesforchaining
# bad
words.each do |word|
word.flip.flop
end.join("-")
# good
words.each { |word|
word.flip.flop
}.join("-")
Example: EnforcedStyle: always_braces
# bad
words.each do |word|
word.flip.flop
end
# good
words.each { |word|
word.flip.flop
}
Example: BracesRequiredMethods: ['sig']
# Methods listed in the BracesRequiredMethods list, such as 'sig'
# in this example, will require `{...}` braces. This option takes
# precedence over all other configurations except AllowedMethods.
# bad
sig do
params(
foo: string,
).void
end
def bar(foo)
puts foo
end
# good
sig {
params(
foo: string,
).void
}
def bar(foo)
puts foo
end
Example: AllowedMethods: ['lambda', 'proc', 'it' ] (default)
# good
foo = lambda do |x|
puts "Hello, #{x}"
end
foo = lambda do |x|
x * 100
end
Example: AllowedPatterns: [] (default)
# bad
things.map { |thing|
something = thing.some_method
process(something)
}
Example: AllowedPatterns: ['map']
# good
things.map { |thing|
something = thing.some_method
process(something)
}
Prefer do...end
over {...}
for procedural blocks. (https://rubystyle.guide#single-line-blocks) Open
format.html { redirect_to @player, notice: 'Player was successfully updated.' }
- Read upRead up
- Exclude checks
Check for uses of braces or do/end around single line or multi-line blocks.
Methods that can be either procedural or functional and cannot be
categorised from their usage alone is ignored.
lambda
, proc
, and it
are their defaults.
Additional methods can be added to the AllowedMethods
.
Example: EnforcedStyle: linecountbased (default)
# bad - single line block
items.each do |item| item / 5 end
# good - single line block
items.each { |item| item / 5 }
# bad - multi-line block
things.map { |thing|
something = thing.some_method
process(something)
}
# good - multi-line block
things.map do |thing|
something = thing.some_method
process(something)
end
Example: EnforcedStyle: semantic
# Prefer `do...end` over `{...}` for procedural blocks.
# return value is used/assigned
# bad
foo = map do |x|
x
end
puts (map do |x|
x
end)
# return value is not used out of scope
# good
map do |x|
x
end
# Prefer `{...}` over `do...end` for functional blocks.
# return value is not used out of scope
# bad
each { |x|
x
}
# return value is used/assigned
# good
foo = map { |x|
x
}
map { |x|
x
}.inspect
# The AllowBracesOnProceduralOneLiners option is allowed unless the
# EnforcedStyle is set to `semantic`. If so:
# If the AllowBracesOnProceduralOneLiners option is unspecified, or
# set to `false` or any other falsey value, then semantic purity is
# maintained, so one-line procedural blocks must use do-end, not
# braces.
# bad
collection.each { |element| puts element }
# good
collection.each do |element| puts element end
# If the AllowBracesOnProceduralOneLiners option is set to `true`, or
# any other truthy value, then one-line procedural blocks may use
# either style. (There is no setting for requiring braces on them.)
# good
collection.each { |element| puts element }
# also good
collection.each do |element| puts element end
Example: EnforcedStyle: bracesforchaining
# bad
words.each do |word|
word.flip.flop
end.join("-")
# good
words.each { |word|
word.flip.flop
}.join("-")
Example: EnforcedStyle: always_braces
# bad
words.each do |word|
word.flip.flop
end
# good
words.each { |word|
word.flip.flop
}
Example: BracesRequiredMethods: ['sig']
# Methods listed in the BracesRequiredMethods list, such as 'sig'
# in this example, will require `{...}` braces. This option takes
# precedence over all other configurations except AllowedMethods.
# bad
sig do
params(
foo: string,
).void
end
def bar(foo)
puts foo
end
# good
sig {
params(
foo: string,
).void
}
def bar(foo)
puts foo
end
Example: AllowedMethods: ['lambda', 'proc', 'it' ] (default)
# good
foo = lambda do |x|
puts "Hello, #{x}"
end
foo = lambda do |x|
x * 100
end
Example: AllowedPatterns: [] (default)
# bad
things.map { |thing|
something = thing.some_method
process(something)
}
Example: AllowedPatterns: ['map']
# good
things.map { |thing|
something = thing.some_method
process(something)
}