Sign upLogin

MushroomObserver/mushroom-observer

View on GitHub
Star

Showing 247 of 250 total issues

Method has too many lines. [33/30]
Open

    def update
      pass_query_params
      return unless (draft = find_description!(params[:id].to_s))

      parent = draft.parent
Severity: Minor
Found in app/controllers/concerns/descriptions/publish.rb by rubocop

Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.

You can set constructs you want to fold with CountAsOne. Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods and IgnoredMethods configuration is deprecated and only kept for backwards compatibility. Please use AllowedMethods and AllowedPatterns instead. By default, there are no methods to allowed.

Example: CountAsOne: ['array', 'heredoc', 'method_call']

def m
  array = [       # +1
    1,
    2
  ]

  hash = {        # +3
    key: 'value'
  }

  <<~HEREDOC      # +1
    Heredoc
    content.
  HEREDOC

  foo(            # +1
    1,
    2
  )
end               # 6 points

Method has too many lines. [32/30]
Open

  def notify_users
    return unless saved_version_changes?

    sender = User.current
    recipients = []
Severity: Minor
Found in app/models/location.rb by rubocop

Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.

You can set constructs you want to fold with CountAsOne. Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods and IgnoredMethods configuration is deprecated and only kept for backwards compatibility. Please use AllowedMethods and AllowedPatterns instead. By default, there are no methods to allowed.

Example: CountAsOne: ['array', 'heredoc', 'method_call']

def m
  array = [       # +1
    1,
    2
  ]

  hash = {        # +3
    key: 'value'
  }

  <<~HEREDOC      # +1
    Heredoc
    content.
  HEREDOC

  foo(            # +1
    1,
    2
  )
end               # 6 points

Method has too many lines. [32/30]
Open

  def query(args = {})
    initialize_query unless initialized?

    our_select  = args[:select] || "DISTINCT #{model.table_name}.id"
    our_join    = join.dup
Severity: Minor
Found in app/classes/query/modules/sql.rb by rubocop

Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.

You can set constructs you want to fold with CountAsOne. Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods and IgnoredMethods configuration is deprecated and only kept for backwards compatibility. Please use AllowedMethods and AllowedPatterns instead. By default, there are no methods to allowed.

Example: CountAsOne: ['array', 'heredoc', 'method_call']

def m
  array = [       # +1
    1,
    2
  ]

  hash = {        # +3
    key: 'value'
  }

  <<~HEREDOC      # +1
    Heredoc
    content.
  HEREDOC

  foo(            # +1
    1,
    2
  )
end               # 6 points

Method has too many lines. [32/30]
Open

    def assemble_data
      @data = [nil]
      done = true
      params[:writein_name].keys.sort.each do |n|
        name   = begin
Severity: Minor
Found in app/controllers/concerns/descriptions/permissions.rb by rubocop

Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.

You can set constructs you want to fold with CountAsOne. Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods and IgnoredMethods configuration is deprecated and only kept for backwards compatibility. Please use AllowedMethods and AllowedPatterns instead. By default, there are no methods to allowed.

Example: CountAsOne: ['array', 'heredoc', 'method_call']

def m
  array = [       # +1
    1,
    2
  ]

  hash = {        # +3
    key: 'value'
  }

  <<~HEREDOC      # +1
    Heredoc
    content.
  HEREDOC

  foo(            # +1
    1,
    2
  )
end               # 6 points

Method has too many lines. [31/30]
Open

  def check_export_tag_def_line(quoted_tag, tag, str)
    if @in_tag
      verbose("#{locale} #{@line_number}: " \
              "didn't finish multi-line string for #{@in_tag}")
      @in_tag = false
Severity: Minor
Found in app/models/language_exporter.rb by rubocop

Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.

You can set constructs you want to fold with CountAsOne. Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods and IgnoredMethods configuration is deprecated and only kept for backwards compatibility. Please use AllowedMethods and AllowedPatterns instead. By default, there are no methods to allowed.

Example: CountAsOne: ['array', 'heredoc', 'method_call']

def m
  array = [       # +1
    1,
    2
  ]

  hash = {        # +3
    key: 'value'
  }

  <<~HEREDOC      # +1
    Heredoc
    content.
  HEREDOC

  foo(            # +1
    1,
    2
  )
end               # 6 points

Method has too many lines. [31/30]
Open

  def save_to_temp_file
    result = true
    unless upload_temp_file.present?

      # Image is supplied in a input stream.  This can happen in a variety of
Severity: Minor
Found in app/models/image.rb by rubocop

Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.

You can set constructs you want to fold with CountAsOne. Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods and IgnoredMethods configuration is deprecated and only kept for backwards compatibility. Please use AllowedMethods and AllowedPatterns instead. By default, there are no methods to allowed.

Example: CountAsOne: ['array', 'heredoc', 'method_call']

def m
  array = [       # +1
    1,
    2
  ]

  hash = {        # +3
    key: 'value'
  }

  <<~HEREDOC      # +1
    Heredoc
    content.
  HEREDOC

  foo(            # +1
    1,
    2
  )
end               # 6 points

Use of unsafe cookie serialization strategy :marshal might lead to remote code execution
Open

Rails.application.config.action_dispatch.cookies_serializer = :marshal
Severity: Minor
Found in config/initializers/cookies_serializer.rb by brakeman

Objects in Ruby may be serialized to strings. The main method for doing so is the built-in Marshal class. The YAML, JSON, and CSV libraries also have methods for dumping Ruby objects into strings, and then creating objects from those strings.

Deserialization of arbitrary objects can lead to remote code execution, as was demonstrated with CVE-2013-0156.

Brakeman warns when loading user input with Marshal, YAML, or CSV. JSON is covered by the checks for CVE-2013-0333

Possible SQL injection
Open

    query = ObservationView.where(reviewed: 0).joins(join)
Severity: Minor
Found in app/models/vote.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Possible command injection
Open

      self.content_type = `file --mime -b #{file}`.sub(/[;\s].*/, "")
Severity: Minor
Found in app/classes/api2/core/uploads.rb by brakeman

Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.

There are many ways to run commands in Ruby:

`ls #{params[:file]}`

system("ls #{params[:dir]}")

exec("md5sum #{params[:input]}")

Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.

See the Ruby Security Guide for details.

Possible SQL injection
Open

    Vote.where.not(user_id: 0).joins(join).
Severity: Minor
Found in app/models/vote.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Possible command injection
Open

    system("script/rotate_image #{id} #{operator}&") unless Rails.env.test?
Severity: Minor
Found in app/models/image.rb by brakeman

Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.

There are many ways to run commands in Ruby:

`ls #{params[:file]}`

system("ls #{params[:dir]}")

exec("md5sum #{params[:input]}")

Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.

See the Ruby Security Guide for details.

Possible unprotected redirect
Open

        redirect_to(object_path_with_query(@description))
Severity: Minor
Found in app/controllers/concerns/descriptions/permissions.rb by brakeman

Unvalidated redirects and forwards are #10 on the OWASP Top Ten.

Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.

Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.

For example,

redirect_to params.merge(:action => :home)

will create a warning like

Possible unprotected redirect near line 46: redirect_to(params)

This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.

If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.

redirect_to params.merge(:only_path => true)

redirect_to params.merge(:host => 'myhost.com')

If the first argument is a string, then it is possible to parse the string and extract the path:

redirect_to URI.parse(some_url).path

If the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.

Possible SQL injection
Open

    SortedSet.new(Name.find_by_sql("SELECT DISTINCT names.* #{conditions}"))
Severity: Minor
Found in app/classes/eol_data.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Possible unprotected redirect
Open

        redirect_to(object_path_with_query(@description))
Severity: Minor
Found in app/controllers/concerns/descriptions/permissions.rb by brakeman

Unvalidated redirects and forwards are #10 on the OWASP Top Ten.

Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.

Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.

For example,

redirect_to params.merge(:action => :home)

will create a warning like

Possible unprotected redirect near line 46: redirect_to(params)

This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.

If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.

redirect_to params.merge(:only_path => true)

redirect_to params.merge(:host => 'myhost.com')

If the first argument is a string, then it is possible to parse the string and extract the path:

redirect_to URI.parse(some_url).path

If the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.

Possible SQL injection
Open

    Image.find_by_sql("SELECT DISTINCT images.* #{conditions}")
Severity: Minor
Found in app/classes/eol_data.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Inline HTML
Open

   <details>
Severity: Info
Found in doc/glossary.md by markdownlint

MD033 - Inline HTML

Tags: html

Aliases: no-inline-html

This rule is triggered whenever raw HTML is used in a markdown document:

Inline HTML header

To fix this, use 'pure' markdown instead of including raw HTML:

# Markdown header

Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.

Inline HTML
Open

   <summary>Examples</summary>
Severity: Info
Found in doc/glossary.md by markdownlint

MD033 - Inline HTML

Tags: html

Aliases: no-inline-html

This rule is triggered whenever raw HTML is used in a markdown document:

Inline HTML header

To fix this, use 'pure' markdown instead of including raw HTML:

# Markdown header

Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.

Inline HTML
Open

   <summary>Examples</summary>
Severity: Info
Found in doc/glossary.md by markdownlint

MD033 - Inline HTML

Tags: html

Aliases: no-inline-html

This rule is triggered whenever raw HTML is used in a markdown document:

Inline HTML header

To fix this, use 'pure' markdown instead of including raw HTML:

# Markdown header

Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.

Inline HTML
Open

  <summary>Example</summary>
Severity: Info
Found in doc/glossary.md by markdownlint

MD033 - Inline HTML

Tags: html

Aliases: no-inline-html

This rule is triggered whenever raw HTML is used in a markdown document:

Inline HTML header

To fix this, use 'pure' markdown instead of including raw HTML:

# Markdown header

Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.

Replace class var @@last_clean with a class instance var.
Open

    @@last_clean = Time.zone.now
Severity: Minor
Found in app/models/language_tracking.rb by rubocop

Checks for uses of class variables. Offenses are signaled only on assignment to class variables to reduce the number of offenses that would be reported.

You have to be careful when setting a value for a class variable; if a class has been inherited, changing the value of a class variable also affects the inheriting classes. This means that it's almost always better to use a class instance variable instead.

Example:

# bad
class A
  @@test = 10
end

class A
  def self.test(name, value)
    class_variable_set("@@#{name}", value)
  end
end

class A; end
A.class_variable_set(:@@test, 10)

# good
class A
  @test = 10
end

class A
  def test
    @@test # you can access class variable without offense
  end
end

class A
  def self.test(name)
    class_variable_get("@@#{name}") # you can access without offense
  end
end
Severity
Category
Status
Source
Language