Showing 247 of 250 total issues
Method has too many lines. [33/30] Open
def update
pass_query_params
return unless (draft = find_description!(params[:id].to_s))
parent = draft.parent
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.
You can set constructs you want to fold with CountAsOne
.
Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods
and IgnoredMethods
configuration is
deprecated and only kept for backwards compatibility.
Please use AllowedMethods
and AllowedPatterns
instead.
By default, there are no methods to allowed.
Example: CountAsOne: ['array', 'heredoc', 'method_call']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
foo( # +1
1,
2
)
end # 6 points
Method has too many lines. [32/30] Open
def notify_users
return unless saved_version_changes?
sender = User.current
recipients = []
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.
You can set constructs you want to fold with CountAsOne
.
Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods
and IgnoredMethods
configuration is
deprecated and only kept for backwards compatibility.
Please use AllowedMethods
and AllowedPatterns
instead.
By default, there are no methods to allowed.
Example: CountAsOne: ['array', 'heredoc', 'method_call']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
foo( # +1
1,
2
)
end # 6 points
Method has too many lines. [32/30] Open
def query(args = {})
initialize_query unless initialized?
our_select = args[:select] || "DISTINCT #{model.table_name}.id"
our_join = join.dup
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.
You can set constructs you want to fold with CountAsOne
.
Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods
and IgnoredMethods
configuration is
deprecated and only kept for backwards compatibility.
Please use AllowedMethods
and AllowedPatterns
instead.
By default, there are no methods to allowed.
Example: CountAsOne: ['array', 'heredoc', 'method_call']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
foo( # +1
1,
2
)
end # 6 points
Method has too many lines. [32/30] Open
def assemble_data
@data = [nil]
done = true
params[:writein_name].keys.sort.each do |n|
name = begin
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.
You can set constructs you want to fold with CountAsOne
.
Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods
and IgnoredMethods
configuration is
deprecated and only kept for backwards compatibility.
Please use AllowedMethods
and AllowedPatterns
instead.
By default, there are no methods to allowed.
Example: CountAsOne: ['array', 'heredoc', 'method_call']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
foo( # +1
1,
2
)
end # 6 points
Method has too many lines. [31/30] Open
def check_export_tag_def_line(quoted_tag, tag, str)
if @in_tag
verbose("#{locale} #{@line_number}: " \
"didn't finish multi-line string for #{@in_tag}")
@in_tag = false
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.
You can set constructs you want to fold with CountAsOne
.
Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods
and IgnoredMethods
configuration is
deprecated and only kept for backwards compatibility.
Please use AllowedMethods
and AllowedPatterns
instead.
By default, there are no methods to allowed.
Example: CountAsOne: ['array', 'heredoc', 'method_call']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
foo( # +1
1,
2
)
end # 6 points
Method has too many lines. [31/30] Open
def save_to_temp_file
result = true
unless upload_temp_file.present?
# Image is supplied in a input stream. This can happen in a variety of
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks if the length of a method exceeds some maximum value. Comment lines can optionally be allowed. The maximum allowed length is configurable.
You can set constructs you want to fold with CountAsOne
.
Available are: 'array', 'hash', 'heredoc', and 'method_call'. Each construct
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods
and IgnoredMethods
configuration is
deprecated and only kept for backwards compatibility.
Please use AllowedMethods
and AllowedPatterns
instead.
By default, there are no methods to allowed.
Example: CountAsOne: ['array', 'heredoc', 'method_call']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
foo( # +1
1,
2
)
end # 6 points
Use of unsafe cookie serialization strategy :marshal
might lead to remote code execution Open
Rails.application.config.action_dispatch.cookies_serializer = :marshal
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Objects in Ruby may be serialized to strings. The main method for doing so is the built-in Marshal
class. The YAML
, JSON
, and CSV
libraries also have methods for dumping Ruby objects into strings, and then creating objects from those strings.
Deserialization of arbitrary objects can lead to remote code execution, as was demonstrated with CVE-2013-0156.
Brakeman warns when loading user input with Marshal
, YAML
, or CSV
. JSON
is covered by the checks for CVE-2013-0333
Possible SQL injection Open
query = ObservationView.where(reviewed: 0).joins(join)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Possible command injection Open
self.content_type = `file --mime -b #{file}`.sub(/[;\s].*/, "")
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.
There are many ways to run commands in Ruby:
`ls #{params[:file]}`
system("ls #{params[:dir]}")
exec("md5sum #{params[:input]}")
Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.
See the Ruby Security Guide for details.
Possible SQL injection Open
Vote.where.not(user_id: 0).joins(join).
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Possible command injection Open
system("script/rotate_image #{id} #{operator}&") unless Rails.env.test?
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.
There are many ways to run commands in Ruby:
`ls #{params[:file]}`
system("ls #{params[:dir]}")
exec("md5sum #{params[:input]}")
Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.
See the Ruby Security Guide for details.
Possible unprotected redirect Open
redirect_to(object_path_with_query(@description))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Unvalidated redirects and forwards are #10 on the OWASP Top Ten.
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever redirect_to
appears to be used with a user-supplied value that may allow them to change the :host
option.
For example,
redirect_to params.merge(:action => :home)
will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)
This is because params
could contain :host => 'evilsite.com'
which would redirect away from your site and to a malicious site.
If the first argument to redirect_to
is a hash, then adding :only_path => true
will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')
If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).path
If the URL does not contain a protocol (e.g., http://
), then you will probably get unexpected results, as redirect_to
will prepend the current host name and a protocol.
Possible SQL injection Open
SortedSet.new(Name.find_by_sql("SELECT DISTINCT names.* #{conditions}"))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Possible unprotected redirect Open
redirect_to(object_path_with_query(@description))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Unvalidated redirects and forwards are #10 on the OWASP Top Ten.
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever redirect_to
appears to be used with a user-supplied value that may allow them to change the :host
option.
For example,
redirect_to params.merge(:action => :home)
will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)
This is because params
could contain :host => 'evilsite.com'
which would redirect away from your site and to a malicious site.
If the first argument to redirect_to
is a hash, then adding :only_path => true
will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')
If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).path
If the URL does not contain a protocol (e.g., http://
), then you will probably get unexpected results, as redirect_to
will prepend the current host name and a protocol.
Possible SQL injection Open
Image.find_by_sql("SELECT DISTINCT images.* #{conditions}")
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Inline HTML Open
<details>
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
MD033 - Inline HTML
Tags: html
Aliases: no-inline-html
This rule is triggered whenever raw HTML is used in a markdown document:
Inline HTML header
To fix this, use 'pure' markdown instead of including raw HTML:
# Markdown header
Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.
Inline HTML Open
<summary>Examples</summary>
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
MD033 - Inline HTML
Tags: html
Aliases: no-inline-html
This rule is triggered whenever raw HTML is used in a markdown document:
Inline HTML header
To fix this, use 'pure' markdown instead of including raw HTML:
# Markdown header
Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.
Inline HTML Open
<summary>Examples</summary>
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
MD033 - Inline HTML
Tags: html
Aliases: no-inline-html
This rule is triggered whenever raw HTML is used in a markdown document:
Inline HTML header
To fix this, use 'pure' markdown instead of including raw HTML:
# Markdown header
Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.
Inline HTML Open
<summary>Example</summary>
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
MD033 - Inline HTML
Tags: html
Aliases: no-inline-html
This rule is triggered whenever raw HTML is used in a markdown document:
Inline HTML header
To fix this, use 'pure' markdown instead of including raw HTML:
# Markdown header
Rationale: Raw HTML is allowed in markdown, but this rule is included for those who want their documents to only include "pure" markdown, or for those who are rendering markdown documents in something other than HTML.
Replace class var @@last_clean with a class instance var. Open
@@last_clean = Time.zone.now
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Checks for uses of class variables. Offenses are signaled only on assignment to class variables to reduce the number of offenses that would be reported.
You have to be careful when setting a value for a class variable; if a class has been inherited, changing the value of a class variable also affects the inheriting classes. This means that it's almost always better to use a class instance variable instead.
Example:
# bad
class A
@@test = 10
end
class A
def self.test(name, value)
class_variable_set("@@#{name}", value)
end
end
class A; end
A.class_variable_set(:@@test, 10)
# good
class A
@test = 10
end
class A
def test
@@test # you can access class variable without offense
end
end
class A
def self.test(name)
class_variable_get("@@#{name}") # you can access without offense
end
end