Possible SQL injection Open
::DwcOccurrence.from('(' + @core_scope + ') as dwc_occurrences').order('dwc_occurrences.id')- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Possible command injection Open
@all_data.write(`paste #{ join_data.filter_map{|f| f.path if f.size > 0}.join(' ')}`)- Read upRead up
- Exclude checks
Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.
There are many ways to run commands in Ruby:
`ls #{params[:file]}`
system("ls #{params[:dir]}")
exec("md5sum #{params[:input]}")Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.
See the Ruby Security Guide for details.
Possible SQL injection Open
::BiologicalAssociation.from('(' + @biological_associations_extension + ') as biological_associations')- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
File data.rb has 473 lines of code (exceeds 250 allowed). Consider refactoring. Open
require 'zip'
module Export::Dwca
# !!Class Data has 35 methods (exceeds 20 allowed). Consider refactoring. Open
class Data
attr_accessor :data
attr_accessor :emlMethod eml has 76 lines of code (exceeds 25 allowed). Consider refactoring. Open
def eml
return @eml if @eml
@eml = Tempfile.new('eml.xml')
# This may need to be logged somewhereMethod taxonworks_extension_data has 59 lines of code (exceeds 25 allowed). Consider refactoring. Open
def taxonworks_extension_data
return @taxonworks_extension_data if @taxonworks_extension_data
# hash of internal method name => csv header name
methods = {}Method has too many lines. [29/25] Open
def predicate_data
return @predicate_data if @predicate_data
# if no predicate data found, return empty file
if used_predicates.empty?- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Method taxonworks_extension_data has a Cognitive Complexity of 11 (exceeds 5 allowed). Consider refactoring. Open
def taxonworks_extension_data
return @taxonworks_extension_data if @taxonworks_extension_data
# hash of internal method name => csv header name
methods = {}- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method predicate_data has 29 lines of code (exceeds 25 allowed). Consider refactoring. Open
def predicate_data
return @predicate_data if @predicate_data
# if no predicate data found, return empty file
if used_predicates.empty?Method all_data has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def all_data
return @all_data if @all_data
Rails.logger.debug 'dwca_export: start combining all data'
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method meta has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring. Open
def meta
return @meta if @meta
@meta = Tempfile.new('meta.xml')
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method predicate_data has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def predicate_data
return @predicate_data if @predicate_data
# if no predicate data found, return empty file
if used_predicates.empty?- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method core_scope has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def core_scope
if @core_scope.kind_of?(String)
::DwcOccurrence.from('(' + @core_scope + ') as dwc_occurrences').order('dwc_occurrences.id')
elsif @core_scope.kind_of?(ActiveRecord::Relation)
raise ArgumentError, 'core_scope: is not a DwcOccurrence relation' unless @core_scope.table.name == 'dwc_occurrences'- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Use if @biological_associations_extension.blank? instead of unless @biological_associations_extension.present?. Open
return nil unless @biological_associations_extension.present?- Read upRead up
- Exclude checks
This cop checks for code that can be written with simpler conditionals
using Object#blank? defined by Active Support.
Interaction with Style/UnlessElse:
The configuration of NotPresent will not produce an offense in the
context of unless else if Style/UnlessElse is inabled. This is
to prevent interference between the auto-correction of the two cops.
Example: NilOrEmpty: true (default)
# Converts usages of `nil? || empty?` to `blank?`
# bad
foo.nil? || foo.empty?
foo == nil || foo.empty?
# good
foo.blank?Example: NotPresent: true (default)
# Converts usages of `!present?` to `blank?`
# bad
!foo.present?
# good
foo.blank?Example: UnlessPresent: true (default)
# Converts usages of `unless present?` to `if blank?`
# bad
something unless foo.present?
# good
something if foo.blank?
# bad
unless foo.present?
something
end
# good
if foo.blank?
something
end
# good
def blank?
!present?
endTODO found Open
# TODO: we're replicating this to get ids as well in `collection_object_ids` so somewhat redundant- Exclude checks
TODO found Open
attr_accessor :total #TODO update- Exclude checks
TODO found Open
# TODO: reference biological_resource_extension.csv- Exclude checks
TODO found Open
# TODO: this is a heavy-handed hack to re-sync data- Exclude checks
TODO found Open
# TODO: might not need to check size at some point.- Exclude checks
TODO found Open
# TODO: check to see if we nee dthis- Exclude checks
TODO found Open
column_order: ::CollectionObject::DWC_OCCURRENCE_MAP.keys + ::CollectionObject::EXTENSION_FIELDS, # TODO: add other maps here- Exclude checks
TODO found Open
# TODO: order dependant pattern is fast but very brittle- Exclude checks
TODO found Open
# TODO: fails when we get to AssertedDistribution- Exclude checks
TODO found Open
# TODO Breaks when AssertedDistribution is added- Exclude checks
TODO found Open
# TODO: return, or optimize to this when ::CollectionObject::EXTENSION_COMPUTED_FIELDS.size > 1- Exclude checks
Prefer symbols instead of strings as hash keys. Open
'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance',- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
'xmlns:eml' => 'eml://ecoinformatics.org/eml-2.1.1',- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
'xsi:schemaLocation' => 'eml://ecoinformatics.org/eml-2.1.1 http://rs.gbif.org/schema/eml-gbif-profile/1.1/eml-gbif-profile.xsd',- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
'xmlns:dc' => 'http://purl.org/dc/terms/',- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
'scope' => 'system',- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
xml.archive('xmlns' => 'http://rs.tdwg.org/dwc/text/') {- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
'system' => 'https://taxonworks.org',- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
'xml:lang' => 'en'- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer symbols instead of strings as hash keys. Open
'packageId' => identifier,- Read upRead up
- Exclude checks
This cop checks for the use of strings as keys in hashes. The use of symbols is preferred instead.
Example:
# bad
{ 'one' => 1, 'two' => 2, 'three' => 3 }
# good
{ one: 1, two: 2, three: 3 }Prefer single-quoted strings when you don't need string interpolation or special symbols. Open
a = "TW:Internal:otu_name".freeze- Read upRead up
- Exclude checks
Checks if uses of quotes match the configured preference.
Example: EnforcedStyle: single_quotes (default)
# bad
"No special symbols"
"No string interpolation"
"Just text"
# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"Example: EnforcedStyle: double_quotes
# bad
'Just some text'
'No special chars or interpolation'
# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"Do not use Time.now without zone. Use one of Time.zone.now, Time.current, Time.now.in_time_zone, Time.now.utc, Time.now.getlocal, Time.now.xmlschema, Time.now.iso8601, Time.now.jisx0301, Time.now.rfc3339, Time.now.httpdate, Time.now.to_i, Time.now.to_f instead. Open
xml.dateStamp DateTime.parse(Time.now.to_s).to_s- Read upRead up
- Exclude checks
This cop checks for the use of Time methods without zone.
Built on top of Ruby on Rails style guide (https://github.com/rubocop-hq/rails-style-guide#time) and the article http://danilenko.org/2012/7/6/rails_timezones/
Two styles are supported for this cop. When EnforcedStyle is 'strict' then only use of Time.zone is allowed.
When EnforcedStyle is 'flexible' then it's also allowed to use Time.intimezone.
Example: EnforcedStyle: strict
# `strict` means that `Time` should be used with `zone`.
# bad
Time.now
Time.parse('2015-03-02 19:05:37')
# bad
Time.current
Time.at(timestamp).in_time_zone
# good
Time.zone.now
Time.zone.parse('2015-03-02 19:05:37')Example: EnforcedStyle: flexible (default)
# `flexible` allows usage of `in_time_zone` instead of `zone`.
# bad
Time.now
Time.parse('2015-03-02 19:05:37')
# good
Time.zone.now
Time.zone.parse('2015-03-02 19:05:37')
# good
Time.current
Time.at(timestamp).in_time_zonePrefer single-quoted strings when you don't need string interpolation or special symbols. Open
.select("collection_objects.id, otus.name as otu_name")- Read upRead up
- Exclude checks
Checks if uses of quotes match the configured preference.
Example: EnforcedStyle: single_quotes (default)
# bad
"No special symbols"
"No string interpolation"
"Just text"
# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"Example: EnforcedStyle: double_quotes
# bad
'Just some text'
'No special chars or interpolation'
# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"Do not use Time.new without zone. Use one of Time.zone.now, Time.current, Time.new.in_time_zone, Time.new.utc, Time.new.getlocal, Time.new.xmlschema, Time.new.iso8601, Time.new.jisx0301, Time.new.rfc3339, Time.new.httpdate, Time.new.to_i, Time.new.to_f instead. Open
xml.pubDate Time.new.strftime('%Y-%m-%d')- Read upRead up
- Exclude checks
This cop checks for the use of Time methods without zone.
Built on top of Ruby on Rails style guide (https://github.com/rubocop-hq/rails-style-guide#time) and the article http://danilenko.org/2012/7/6/rails_timezones/
Two styles are supported for this cop. When EnforcedStyle is 'strict' then only use of Time.zone is allowed.
When EnforcedStyle is 'flexible' then it's also allowed to use Time.intimezone.
Example: EnforcedStyle: strict
# `strict` means that `Time` should be used with `zone`.
# bad
Time.now
Time.parse('2015-03-02 19:05:37')
# bad
Time.current
Time.at(timestamp).in_time_zone
# good
Time.zone.now
Time.zone.parse('2015-03-02 19:05:37')Example: EnforcedStyle: flexible (default)
# `flexible` allows usage of `in_time_zone` instead of `zone`.
# bad
Time.now
Time.parse('2015-03-02 19:05:37')
# good
Time.zone.now
Time.zone.parse('2015-03-02 19:05:37')
# good
Time.current
Time.at(timestamp).in_time_zone