Showing 208 of 212 total issues
0.125 should be written without a leading zero as .125 Open
box-shadow: 0 0.125rem 0.3125rem rgba(darken($grey, 10%), 0.9);- Exclude checks
edit, update, destroy are not explicitly defined on the controller. Open
before_action :set_variable, only: %i[show edit update destroy]- Read upRead up
- Exclude checks
This cop checks that methods specified in the filter's only
or except options are explicitly defined in the controller.
You can specify methods of superclass or methods added by mixins on the filter, but these confuse developers. If you specify methods where are defined on another controller, you should define the filter in that controller.
Example:
# bad
class LoginController < ApplicationController
before_action :require_login, only: %i[index settings logout]
def index
end
end
# good
class LoginController < ApplicationController
before_action :require_login, only: %i[index settings logout]
def index
end
def settings
end
def logout
end
end0.8 should be written without a leading zero as .8 Open
box-shadow: 0 0.125rem 0.3125rem rgba(darken($grey, 10%), 0.8);- Exclude checks
Possible shell escape sequence injection vulnerability in Rack Open
rack (2.2.3)- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Tagging a string as html safe may be a security risk. Open
formula.html_safe- Read upRead up
- Exclude checks
This cop checks for the use of output safety calls like htmlsafe, raw, and safeconcat. These methods do not escape content. They simply return a SafeBuffer containing the content as is. Instead, use safe_join to join content and escape it and concat to concatenate content and escape it, ensuring its safety.
Example:
user_content = "hi"
# bad
"#{user_content}
".html_safe
# => ActiveSupport::SafeBuffer "hi
"
# good
content_tag(:p, user_content)
# => ActiveSupport::SafeBuffer "<b>hi</b>
"
# bad
out = ""
out << "#{user_content} "
out << "#{user_content} "
out.html_safe
# => ActiveSupport::SafeBuffer "hi
hi "
# good
out = []
out << content_tag(:li, user_content)
out << content_tag(:li, user_content)
safe_join(out)
# => ActiveSupport::SafeBuffer
# "<b>hi</b>
<b>hi</b> "
# bad
out = "trusted content
".html_safe
out.safe_concat(user_content)
# => ActiveSupport::SafeBuffer "trusted_content
hi"
# good
out = "trusted content
".html_safe
out.concat(user_content)
# => ActiveSupport::SafeBuffer
# "trusted_content
<b>hi</b>"
# safe, though maybe not good style
out = "trusted content"
result = out.concat(user_content)
# => String "trusted contenthi"
# because when rendered in ERB the String will be escaped:
# <%= result %>
# => trusted content<b>hi</b>
# bad
(user_content + " " + content_tag(:span, user_content)).html_safe
# => ActiveSupport::SafeBuffer "hi <span><b>hi</b></span>"
# good
safe_join([user_content, " ", content_tag(:span, user_content)])
# => ActiveSupport::SafeBuffer
# "<b>hi</b> <span><b>hi</b></span>"0.5 should be written without a leading zero as .5 Open
box-shadow: 0 0 0.3125rem rgba($primary-color, 0.5);- Exclude checks
0.3125 should be written without a leading zero as .3125 Open
padding: 0.3125rem 0.625rem;- Exclude checks
0.3125 should be written without a leading zero as .3125 Open
margin-bottom: 0.3125rem;- Exclude checks
Color literals like #666 should only be used in variable declarations; they should be referred to via variable everywhere else. Open
color: #666;- Exclude checks
Color red should be written in hexadecimal form as #ff0000 Open
border: 2px solid red;- Exclude checks
0.7 should be written without a leading zero as .7 Open
padding: 0.7rem 1rem;- Exclude checks
Color literals like #c00 should only be used in variable declarations; they should be referred to via variable everywhere else. Open
background-color: #c00;- Exclude checks
Possible Strong Parameters Bypass in ActionPack Open
actionpack (5.2.4.2)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8164
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Convert if nested inside else to elsif. Open
variable.variables.delete(v) if linked_variables.include? v- Read upRead up
- Exclude checks
If the else branch of a conditional consists solely of an if node,
it can be combined with the else to become an elsif.
This helps to keep the nesting level from getting too deep.
Example:
# bad
if condition_a
action_a
else
if condition_b
action_b
else
action_c
end
end
# good
if condition_a
action_a
elsif condition_b
action_b
else
action_c
end0.625 should be written without a leading zero as .625 Open
border-bottom: 0.625rem solid $primary-color;- Exclude checks
Properties should be ordered background-color, color, font-family, font-size, line-height, margin Open
margin: 33px;- Exclude checks
Properties should be ordered background-color, display, padding Open
padding: 2px;- Exclude checks
0.9 should be written without a leading zero as .9 Open
box-shadow: 0 0.125rem 0.3125rem rgba(darken($grey, 10%), 0.9);- Exclude checks
CSRF Vulnerability in rails-ujs Open
actionview (5.2.4.2)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8167
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible DoS Vulnerability in Active Record PostgreSQL adapter Open
activerecord (5.2.4.2)- Read upRead up
- Exclude checks
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, >= 6.0.3.5, ~> 6.0.3, >= 6.1.2.1