Sign upLogin

andrewhao/bookplanner

View on GitHub
Star

Showing 139 of 139 total issues

Possible Information Leak Vulnerability in Action View
Open

    actionview (4.1.6)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0752

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Arbitrary file existence disclosure in Action Pack
Open

    actionpack (4.1.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2014-7829

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk

Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8

Possible Input Validation Circumvention in Active Model
Open

    activemodel (4.1.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0753

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

Nested attributes rejection proc bypass in Active Record
Open

    activerecord (4.1.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7577

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

XSS Vulnerability in ActiveSupport::JSON.encode
Open

    activesupport (4.1.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-3226

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU

Solution: upgrade to >= 4.2.2, ~> 4.1.11

Denial of service or RCE from libxml2 and libxslt
Open

    nokogiri (1.6.7.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-8806

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1473

Solution: upgrade to >= 1.6.8

Arbitrary file existence disclosure in Action Pack
Open

    actionpack (4.1.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2014-7818

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo

Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3

Possible Information Leak Vulnerability in Action View
Open

    actionview (4.1.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-2097

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4

Solution: upgrade to >= 4.1.14.2, ~> 4.1.14

Possible Denial of Service attack in Active Support
Open

    activesupport (4.1.6)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-3227

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk

Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Timing attack vulnerability in basic authentication in Action Controller.
Open

    actionpack (4.1.6)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7576

Criticality: Low

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

ruby-ffi DDL loading issue on Windows OS
Open

    ffi (1.9.10)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000201

Criticality: High

URL: https://github.com/ffi/ffi/releases/tag/1.9.24

Solution: upgrade to >= 1.9.24

Similar blocks of code found in 3 locations. Consider refactoring.
Open

  def update
    respond_to do |format|
      if @student.update(student_params)
        format.html { redirect_to @student, notice: "Student was successfully updated." }
        format.json { head :no_content }
Severity: Major
Found in app/controllers/students_controller.rb and 2 other locations - About 45 mins to fix
app/controllers/classrooms_controller.rb on lines 46..53
app/controllers/schools_controller.rb on lines 42..49

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 41.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 3 locations. Consider refactoring.
Open

  def update
    respond_to do |format|
      if @school.update(school_params)
        format.html { redirect_to @school, notice: "School was successfully updated." }
        format.json { head :no_content }
Severity: Major
Found in app/controllers/schools_controller.rb and 2 other locations - About 45 mins to fix
app/controllers/classrooms_controller.rb on lines 46..53
app/controllers/students_controller.rb on lines 46..53

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 41.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 3 locations. Consider refactoring.
Open

  def update
    respond_to do |format|
      if @classroom.update(classroom_params)
        format.html { redirect_to @classroom, notice: "Classroom was successfully updated." }
        format.json { head :no_content }
Severity: Major
Found in app/controllers/classrooms_controller.rb and 2 other locations - About 45 mins to fix
app/controllers/schools_controller.rb on lines 42..49
app/controllers/students_controller.rb on lines 46..53

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 41.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Rails 4.1.6 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1
Open

    rails (4.1.6)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ

protect_from_forgery should be configured with 'with: :exception'
Open

  protect_from_forgery with: :null_session
Severity: Minor
Found in app/controllers/application_controller.rb by brakeman

Cross-site request forgery is #5 on the OWASP Top Ten. CSRF allows an attacker to perform actions on a website as if they are an authenticated user.

This warning is raised when no call to protect_from_forgery is found in ApplicationController. This method prevents CSRF.

For Rails 4 applications, it is recommended that you use protect_from_forgery :with => :exception. This code is inserted into newly generated applications. The default is to nil out the session object, which has been a source of many CSRF bypasses due to session memoization.

See the Ruby Security Guide for details.

Rails 4.1.6 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.1.11
Open

    rails (4.1.6)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J

Rails 4.1.6 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1
Open

    rails (4.1.6)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ

Rails 4.1.6 does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version 4.1.11
Open

    rails (4.1.6)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ

Severity
Category
Status
Source
Language