Showing 139 of 139 total issues
Possible Information Leak Vulnerability in Action View Open
actionview (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0752
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
Arbitrary file existence disclosure in Action Pack Open
actionpack (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8
Possible Input Validation Circumvention in Active Model Open
activemodel (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0753
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Nested attributes rejection proc bypass in Active Record Open
activerecord (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
XSS Vulnerability in ActiveSupport::JSON.encode Open
activesupport (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3226
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
Solution: upgrade to >= 4.2.2, ~> 4.1.11
Denial of service or RCE from libxml2 and libxslt Open
nokogiri (1.6.7.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-8806
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1473
Solution: upgrade to >= 1.6.8
Arbitrary file existence disclosure in Action Pack Open
actionpack (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7818
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3
Possible Information Leak Vulnerability in Action View Open
actionview (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2097
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Solution: upgrade to >= 4.1.14.2, ~> 4.1.14
Possible Denial of Service attack in Active Support Open
activesupport (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3227
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
Timing attack vulnerability in basic authentication in Action Controller. Open
actionpack (4.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7576
Criticality: Low
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
ruby-ffi DDL loading issue on Windows OS Open
ffi (1.9.10)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
Similar blocks of code found in 3 locations. Consider refactoring. Open
def update
respond_to do |format|
if @student.update(student_params)
format.html { redirect_to @student, notice: "Student was successfully updated." }
format.json { head :no_content }
- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 41.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication
's documentation for more information about tuning the mass threshold in your .codeclimate.yml
.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Similar blocks of code found in 3 locations. Consider refactoring. Open
def update
respond_to do |format|
if @school.update(school_params)
format.html { redirect_to @school, notice: "School was successfully updated." }
format.json { head :no_content }
- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 41.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication
's documentation for more information about tuning the mass threshold in your .codeclimate.yml
.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Similar blocks of code found in 3 locations. Consider refactoring. Open
def update
respond_to do |format|
if @classroom.update(classroom_params)
format.html { redirect_to @classroom, notice: "Classroom was successfully updated." }
format.json { head :no_content }
- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 41.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication
's documentation for more information about tuning the mass threshold in your .codeclimate.yml
.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Rails 4.1.6 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1 Open
rails (4.1.6)
- Read upRead up
- Exclude checks
protect_from_forgery should be configured with 'with: :exception' Open
protect_from_forgery with: :null_session
- Read upRead up
- Exclude checks
Cross-site request forgery is #5 on the OWASP Top Ten. CSRF allows an attacker to perform actions on a website as if they are an authenticated user.
This warning is raised when no call to protect_from_forgery
is found in ApplicationController
. This method prevents CSRF.
For Rails 4 applications, it is recommended that you use protect_from_forgery :with => :exception
. This code is inserted into newly generated applications. The default is to nil
out the session object, which has been a source of many CSRF bypasses due to session memoization.
See the Ruby Security Guide for details.
Rails 4.1.6 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.1.11 Open
rails (4.1.6)
- Read upRead up
- Exclude checks
Rails 4.1.6 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1 Open
rails (4.1.6)
- Read upRead up
- Exclude checks
Rails 4.1.6 does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version 4.1.11 Open
rails (4.1.6)
- Read upRead up
- Exclude checks