Sign upLogin

SpeciesFileGroup/taxonworks

View on GitHub
Star
lib/queries/person/filter.rb

Summary

Maintainability
C
1 day
Test Coverage

Possible SQL injection
Open

          .having("COUNT(roles.person_id) >= #{min_max[0]}")
Severity: Minor
Found in lib/queries/person/filter.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Possible SQL injection
Open

        q = q.having("COUNT(roles.person_id) <= #{min_max[1]}") if min_max[1]
Severity: Minor
Found in lib/queries/person/filter.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Class Filter has 33 methods (exceeds 20 allowed). Consider refactoring.
Open

    class Filter < Query::Filter
      include Queries::Concerns::DataAttributes
      include Queries::Concerns::Notes
      include Queries::Concerns::Tags
Severity: Minor
Found in lib/queries/person/filter.rb - About 4 hrs to fix

    File filter.rb has 284 lines of code (exceeds 250 allowed). Consider refactoring.
    Open

    module Queries
  module Person

    class Filter < Query::Filter
      include Queries::Concerns::DataAttributes
    Severity: Minor
    Found in lib/queries/person/filter.rb - About 2 hrs to fix

      Method has too many lines. [26/25]
      Open

            def initialize(query_params = {})
        super

        @active_after_year = params[:active_after_year]
        @active_before_year = params[:active_before_year]
      Severity: Minor
      Found in lib/queries/person/filter.rb by rubocop

      This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

      Method initialize has 26 lines of code (exceeds 25 allowed). Consider refactoring.
      Open

            def initialize(query_params = {})
        super

        @active_after_year = params[:active_after_year]
        @active_before_year = params[:active_before_year]
      Severity: Minor
      Found in lib/queries/person/filter.rb - About 1 hr to fix

        Similar blocks of code found in 2 locations. Consider refactoring.
        Open

              def with_facet
        return nil if with.empty?
        a = with.shift
        q = table[a.to_sym].not_eq(nil)
        Severity: Minor
        Found in lib/queries/person/filter.rb and 1 other location - About 25 mins to fix
        lib/queries/person/filter.rb on lines 352..360

        Duplicated Code

        Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

        Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

        When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

        Tuning

        This issue has a mass of 31.

        We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

        The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

        If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

        See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

        Refactorings

        Further Reading

        Similar blocks of code found in 2 locations. Consider refactoring.
        Open

              def without_facet
        return nil if without.empty?
        a = without.shift
        q = table[a.to_sym].eq(nil)
        Severity: Minor
        Found in lib/queries/person/filter.rb and 1 other location - About 25 mins to fix
        lib/queries/person/filter.rb on lines 341..349

        Duplicated Code

        Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

        Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

        When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

        Tuning

        This issue has a mass of 31.

        We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

        The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

        If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

        See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

        Refactorings

        Further Reading

        There are no issues that match your filters.

        Category
        Status