Possible SQL injection Open
AND tags.name " + Common.like_operator + " ? ", @user.id, terms])
- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")
Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))
The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])
Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")
This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))
See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Complex method Search::SearchResults#number_of_finds (31.6) Open
def number_of_finds
results[:todos].size + results[:projects].size + results[:notes].size + results[:contexts].size + results[:tags].size
- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Search::SearchResults#search has approx 7 statements Open
def search
- Read upRead up
- Exclude checks
A method with Too Many Statements
is any method that has a large number of lines.
Too Many Statements
warns about any method that has more than 5 statements. Reek's smell detector for Too Many Statements
counts +1 for every simple statement in a method and +1 for every statement within a control structure (if
, else
, case
, when
, for
, while
, until
, begin
, rescue
) but it doesn't count the control structure itself.
So the following method would score +6 in Reek's statement-counting algorithm:
def parse(arg, argv, &error)
if !(val = arg) and (argv.empty? or /\A-/ =~ (val = argv[0]))
return nil, block, nil # +1
end
opt = (val = parse_arg(val, &error))[1] # +2
val = conv_arg(*val) # +3
if opt and !arg
argv.shift # +4
else
val[0] = nil # +5
end
val # +6
end
(You might argue that the two assigments within the first @if@ should count as statements, and that perhaps the nested assignment should count as +2.)
Complex method Search::SearchResults#search (23.9) Open
def search
results[:not_complete_todos] = incomplete_todos(@terms)
results[:complete_todos] = complete_todos(@terms)
results[:todos] = results[:not_complete_todos] + results[:complete_todos]
results[:projects] = @user.projects.with_name_or_description(@terms)
- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Search::SearchResults#complete_todos calls 'Common.like_operator' 2 times Open
.where("(todos.description " + Common.like_operator + " ? OR todos.notes " + Common.like_operator + " ?) AND NOT (todos.completed_at IS NULL)", terms, terms)
- Read upRead up
- Exclude checks
Duplication occurs when two fragments of code look nearly identical, or when two fragments of code have nearly identical effects at some conceptual level.
Reek implements a check for Duplicate Method Call.
Example
Here's a very much simplified and contrived example. The following method will report a warning:
def double_thing()
@other.thing + @other.thing
end
One quick approach to silence Reek would be to refactor the code thus:
def double_thing()
thing = @other.thing
thing + thing
end
A slightly different approach would be to replace all calls of double_thing
by calls to @other.double_thing
:
class Other
def double_thing()
thing + thing
end
end
The approach you take will depend on balancing other factors in your code.
Search::SearchResults has no descriptive comment Open
class SearchResults
- Read upRead up
- Exclude checks
Classes and modules are the units of reuse and release. It is therefore considered good practice to annotate every class and module with a brief comment outlining its responsibilities.
Example
Given
class Dummy
# Do things...
end
Reek would emit the following warning:
test.rb -- 1 warning:
[1]:Dummy has no descriptive comment (IrresponsibleModule)
Fixing this is simple - just an explaining comment:
# The Dummy class is responsible for ...
class Dummy
# Do things...
end
Search::SearchResults#incomplete_todos calls 'Common.like_operator' 2 times Open
.where("(todos.description " + Common.like_operator + " ? OR todos.notes " + Common.like_operator + " ?) AND todos.completed_at IS NULL", terms, terms)
- Read upRead up
- Exclude checks
Duplication occurs when two fragments of code look nearly identical, or when two fragments of code have nearly identical effects at some conceptual level.
Reek implements a check for Duplicate Method Call.
Example
Here's a very much simplified and contrived example. The following method will report a warning:
def double_thing()
@other.thing + @other.thing
end
One quick approach to silence Reek would be to refactor the code thus:
def double_thing()
thing = @other.thing
thing + thing
end
A slightly different approach would be to replace all calls of double_thing
by calls to @other.double_thing
:
class Other
def double_thing()
thing + thing
end
end
The approach you take will depend on balancing other factors in your code.
Align .reorder
with .todos
on line 28. Open
.reorder(Arel.sql("todos.due IS NULL, todos.due ASC, todos.created_at ASC"))
- Read upRead up
- Exclude checks
This cop checks the indentation of the method name part in method calls that span more than one line.
Example: EnforcedStyle: aligned
# bad
while myvariable
.b
# do something
end
# good
while myvariable
.b
# do something
end
# good
Thing.a
.b
.c
Example: EnforcedStyle: indented
# good
while myvariable
.b
# do something
end
Example: EnforcedStyle: indentedrelativeto_receiver
# good
while myvariable
.a
.b
# do something
end
# good
myvariable = Thing
.a
.b
.c
Align .includes
with .todos
on line 35. Open
.includes(Todo::DEFAULT_INCLUDES)
- Read upRead up
- Exclude checks
This cop checks the indentation of the method name part in method calls that span more than one line.
Example: EnforcedStyle: aligned
# bad
while myvariable
.b
# do something
end
# good
while myvariable
.b
# do something
end
# good
Thing.a
.b
.c
Example: EnforcedStyle: indented
# good
while myvariable
.b
# do something
end
Example: EnforcedStyle: indentedrelativeto_receiver
# good
while myvariable
.a
.b
# do something
end
# good
myvariable = Thing
.a
.b
.c
Missing magic comment # frozen_string_literal: true
. Open
module Search
- Read upRead up
- Exclude checks
This cop is designed to help upgrade to Ruby 3.0. It will add the
comment # frozen_string_literal: true
to the top of files to
enable frozen string literals. Frozen string literals may be default
in Ruby 3.0. The comment will be added below a shebang and encoding
comment. The frozen string literal comment is only valid in Ruby 2.3+.
Example: EnforcedStyle: when_needed (default)
# The `when_needed` style will add the frozen string literal comment
# to files only when the `TargetRubyVersion` is set to 2.3+.
# bad
module Foo
# ...
end
# good
# frozen_string_literal: true
module Foo
# ...
end
Example: EnforcedStyle: always
# The `always` style will always add the frozen string literal comment
# to a file, regardless of the Ruby version or if `freeze` or `<<` are
# called on a string literal.
# bad
module Bar
# ...
end
# good
# frozen_string_literal: true
module Bar
# ...
end
Example: EnforcedStyle: never
# The `never` will enforce that the frozen string literal comment does
# not exist in a file.
# bad
# frozen_string_literal: true
module Baz
# ...
end
# good
module Baz
# ...
end
Align .includes
with .todos
on line 28. Open
.includes(Todo::DEFAULT_INCLUDES)
- Read upRead up
- Exclude checks
This cop checks the indentation of the method name part in method calls that span more than one line.
Example: EnforcedStyle: aligned
# bad
while myvariable
.b
# do something
end
# good
while myvariable
.b
# do something
end
# good
Thing.a
.b
.c
Example: EnforcedStyle: indented
# good
while myvariable
.b
# do something
end
Example: EnforcedStyle: indentedrelativeto_receiver
# good
while myvariable
.a
.b
# do something
end
# good
myvariable = Thing
.a
.b
.c
Line is too long. [165/120] Open
.where("(todos.description " + Common.like_operator + " ? OR todos.notes " + Common.like_operator + " ?) AND NOT (todos.completed_at IS NULL)", terms, terms)
- Exclude checks
Align .where
with .todos
on line 28. Open
.where("(todos.description " + Common.like_operator + " ? OR todos.notes " + Common.like_operator + " ?) AND todos.completed_at IS NULL", terms, terms)
- Read upRead up
- Exclude checks
This cop checks the indentation of the method name part in method calls that span more than one line.
Example: EnforcedStyle: aligned
# bad
while myvariable
.b
# do something
end
# good
while myvariable
.b
# do something
end
# good
Thing.a
.b
.c
Example: EnforcedStyle: indented
# good
while myvariable
.b
# do something
end
Example: EnforcedStyle: indentedrelativeto_receiver
# good
while myvariable
.a
.b
# do something
end
# good
myvariable = Thing
.a
.b
.c
Line is too long. [159/120] Open
.where("(todos.description " + Common.like_operator + " ? OR todos.notes " + Common.like_operator + " ?) AND todos.completed_at IS NULL", terms, terms)
- Exclude checks
Align .reorder
with .todos
on line 35. Open
.reorder("todos.completed_at DESC")
- Read upRead up
- Exclude checks
This cop checks the indentation of the method name part in method calls that span more than one line.
Example: EnforcedStyle: aligned
# bad
while myvariable
.b
# do something
end
# good
while myvariable
.b
# do something
end
# good
Thing.a
.b
.c
Example: EnforcedStyle: indented
# good
while myvariable
.b
# do something
end
Example: EnforcedStyle: indentedrelativeto_receiver
# good
while myvariable
.a
.b
# do something
end
# good
myvariable = Thing
.a
.b
.c
Align .where
with .todos
on line 35. Open
.where("(todos.description " + Common.like_operator + " ? OR todos.notes " + Common.like_operator + " ?) AND NOT (todos.completed_at IS NULL)", terms, terms)
- Read upRead up
- Exclude checks
This cop checks the indentation of the method name part in method calls that span more than one line.
Example: EnforcedStyle: aligned
# bad
while myvariable
.b
# do something
end
# good
while myvariable
.b
# do something
end
# good
Thing.a
.b
.c
Example: EnforcedStyle: indented
# good
while myvariable
.b
# do something
end
Example: EnforcedStyle: indentedrelativeto_receiver
# good
while myvariable
.a
.b
# do something
end
# good
myvariable = Thing
.a
.b
.c
Line is too long. [123/120] Open
results[:todos].size + results[:projects].size + results[:notes].size + results[:contexts].size + results[:tags].size
- Exclude checks