Sign upLogin

SMERM/EMUForm

View on GitHub
Star

Showing 134 of 134 total issues

Possible XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7578

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI

Solution: upgrade to >= 1.0.3

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

Possible information leak / session hijack vulnerability
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16782

Criticality: Medium

URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Solution: upgrade to ~> 1.6.12, >= 2.0.8

Potential remote code execution of user-provided local names in ActionView
Open

    actionview (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8163

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0

Solution: upgrade to >= 4.2.11.2

Possible XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7580

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI

Solution: upgrade to >= 1.0.3

ruby-ffi DDL loading issue on Windows OS
Open

    ffi (1.9.10)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000201

Criticality: High

URL: https://github.com/ffi/ffi/releases/tag/1.9.24

Solution: upgrade to >= 1.9.24

omniauth leaks authenticity token in callback params
Open

    omniauth (1.3.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-18076

Criticality: High

URL: https://github.com/omniauth/omniauth/pull/867

Solution: upgrade to >= 1.3.2

Unsafe Query Generation Risk in Active Record
Open

    activerecord (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-6317

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s

Solution: upgrade to >= 4.2.7.1

Directory traversal vulnerability in rubyzip
Open

    rubyzip (1.2.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-5946

Criticality: Critical

URL: https://github.com/rubyzip/rubyzip/issues/315

Solution: upgrade to >= 1.2.1

Broken Access Control vulnerability in Active Job
Open

    activejob (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16476

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Possible XSS vulnerability in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

File Content Disclosure in Action View
Open

    actionview (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Denial of Service Vulnerability in Action View
Open

    actionview (4.2.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5419

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

Denial of service or RCE from libxml2 and libxslt
Open

    nokogiri (1.6.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-8806

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1473

Solution: upgrade to >= 1.6.8

Directory Traversal in rubyzip
Open

    rubyzip (1.2.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000544

Criticality: Critical

URL: https://github.com/rubyzip/rubyzip/issues/369

Solution: upgrade to >= 1.2.2

Method unique_number has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
Open

  def self.unique_number(array, options = {})
    n_of_attempts = options.delete(:num_of_attempts) || DEFAULT_NUM_OF_ATTEMPTS
    n = nil; x = 0
    while x < n_of_attempts
      n = self.number(options)
Severity: Minor
Found in lib/forgery/forgeries/forgery/unique_number.rb - About 45 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Method save_cache has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
Open

  def save_cache(cache)
    res = true
    cache.each do
      |el|
      unless el.exists?
Severity: Minor
Found in app/controllers/works_roles_authors_controller.rb - About 45 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Method load_cache has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
Open

  def load_cache
    res = []
    works_roles_authors_params[:authors_attributes].each do
      |a|
      a[:roles_attributes].each { |r| (res << WorkRoleAuthor.new(work_id: @work.to_param, author_id: a[:id], role_id: r[:id])) unless r[:id].blank? } unless a[:id].blank?
Severity: Minor
Found in app/controllers/works_roles_authors_controller.rb - About 45 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Rails 4.2.5 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1
Open

    rails (4.2.5)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ

Rails 4.2.5 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1
Open

    rails (4.2.5)
Severity: Critical
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/ruby-security-ann/WccgKSKiPZA/9DrsDVSoCgAJ

Severity
Category
Status
Source
Language