Sign upLogin

SpeciesFileGroup/taxonworks

View on GitHub
Star
app/controllers/pinboard_items_controller.rb

Summary

Maintainability
A
0 mins
Test Coverage

Possible unprotected redirect
Open

        format.html { redirect_to @pinboard_item, notice: 'Pinboard items was successfully updated.' }
Severity: Minor
Found in app/controllers/pinboard_items_controller.rb by brakeman

Unvalidated redirects and forwards are #10 on the OWASP Top Ten.

Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.

Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.

For example,

redirect_to params.merge(:action => :home)

will create a warning like

Possible unprotected redirect near line 46: redirect_to(params)

This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.

If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.

redirect_to params.merge(:only_path => true)

redirect_to params.merge(:host => 'myhost.com')

If the first argument is a string, then it is possible to parse the string and extract the path:

redirect_to URI.parse(some_url).path

If the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.

Use destroy! instead of destroy if the return value is not checked.
Open

    @pinboard_item.destroy
Severity: Minor
Found in app/controllers/pinboard_items_controller.rb by rubocop

This cop identifies possible cases where Active Record save! or related should be used instead of save because the model might have failed to save and an exception is better than unhandled failure.

This will allow: - update or save calls, assigned to a variable, or used as a condition in an if/unless/case statement. - create calls, assigned to a variable that then has a call to persisted?. - calls if the result is explicitly returned from methods and blocks, or provided as arguments. - calls whose signature doesn't look like an ActiveRecord persistence method.

By default it will also allow implicit returns from methods and blocks. that behavior can be turned off with AllowImplicitReturn: false.

You can permit receivers that are giving false positives with AllowedReceivers: []

Example:

# bad
user.save
user.update(name: 'Joe')
user.find_or_create_by(name: 'Joe')
user.destroy

# good
unless user.save
  # ...
end
user.save!
user.update!(name: 'Joe')
user.find_or_create_by!(name: 'Joe')
user.destroy!

user = User.find_or_create_by(name: 'Joe')
unless user.persisted?
  # ...
end

def save_user
  return user.save
end

Example: AllowImplicitReturn: true (default)

# good
users.each { |u| u.save }

def save_user
  user.save
end

Example: AllowImplicitReturn: false

# bad
users.each { |u| u.save }
def save_user
  user.save
end

# good
users.each { |u| u.save! }

def save_user
  user.save!
end

def save_user
  return user.save
end

Example: AllowedReceivers: ['merchant.customers', 'Service::Mailer']

# bad
merchant.create
customers.builder.save
Mailer.create

module Service::Mailer
  self.create
end

# good
merchant.customers.create
MerchantService.merchant.customers.destroy
Service::Mailer.update(message: 'Message')
::Service::Mailer.update
Services::Service::Mailer.update(message: 'Message')
Service::Mailer::update

There are no issues that match your filters.

Category
Status