andypike/rectify

View on GitHub

Showing 87 of 91 total issues

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.8.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.8.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (2.0.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8184

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.8.5)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (2.0.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8161

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.8.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Loofah XSS Vulnerability
Open

    loofah (2.2.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

Class Form has 24 methods (exceeds 20 allowed). Consider refactoring.
Open

  class Form
    include Virtus.model
    include ActiveModel::Validations

    attr_reader :context
Severity: Minor
Found in lib/rectify/form.rb - About 2 hrs to fix

    Rectify::RSpec::DatabaseReporter::QueryStats#add refers to 'info' more than self (maybe move it to another class?)
    Open

              return if info.ignore?
    
              stats[info.target] << info

    Feature Envy occurs when a code fragment references another object more often than it references itself, or when several clients do the same series of manipulations on a particular type of object.

    Feature Envy reduces the code's ability to communicate intent: code that "belongs" on one class but which is located in another can be hard to find, and may upset the "System of Names" in the host class.

    Feature Envy also affects the design's flexibility: A code fragment that is in the wrong class creates couplings that may not be natural within the application's domain, and creates a loss of cohesion in the unwilling host class.

    Feature Envy often arises because it must manipulate other objects (usually its arguments) to get them into a useful form, and one force preventing them (the arguments) doing this themselves is that the common knowledge lives outside the arguments, or the arguments are of too basic a type to justify extending that type. Therefore there must be something which 'knows' about the contents or purposes of the arguments. That thing would have to be more than just a basic type, because the basic types are either containers which don't know about their contents, or they are single objects which can't capture their relationship with their fellows of the same type. So, this thing with the extra knowledge should be reified into a class, and the utility method will most likely belong there.

    Example

    Running Reek on:

    class Warehouse
      def sale_price(item)
        (item.price - item.rebate) * @vat
      end
    end

    would report:

    Warehouse#total_price refers to item more than self (FeatureEnvy)

    since this:

    (item.price - item.rebate)

    belongs to the Item class, not the Warehouse.

    Rectify::RSpec::DatabaseReporter::QueryStats#add has 4 parameters
    Open

            def add(example, start, finish, query)

    A Long Parameter List occurs when a method has a lot of parameters.

    Example

    Given

    class Dummy
      def long_list(foo,bar,baz,fling,flung)
        puts foo,bar,baz,fling,flung
      end
    end

    Reek would report the following warning:

    test.rb -- 1 warning:
      [2]:Dummy#long_list has 5 parameters (LongParameterList)

    A common solution to this problem would be the introduction of parameter objects.

    Possible DoS vulnerability in Rack
    Open

        rack (2.0.5)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-16470

    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk

    Solution: upgrade to >= 2.0.6

    Ability to forge per-form CSRF tokens given a global CSRF token
    Open

        actionpack (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8166

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

    Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

    Possible DoS Vulnerability in Active Record PostgreSQL adapter
    Open

        activerecord (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2021-22880

    Criticality: Medium

    URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

    Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, ~> 6.0.3.5, >= 6.1.2.1

    Potential XSS vulnerability in Action View
    Open

        actionview (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-15169

    URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc

    Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

    CSRF Vulnerability in rails-ujs
    Open

        actionview (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8167

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

    Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

    Loofah XSS Vulnerability
    Open

        loofah (2.2.2)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-16468

    Criticality: Medium

    URL: https://github.com/flavorjones/loofah/issues/154

    Solution: upgrade to >= 2.2.3

    File Content Disclosure in Action View
    Open

        actionview (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-5418

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

    Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

    Rectify::RSpec::DatabaseReporter::QueryStats#each refers to 'infos' more than self (maybe move it to another class?)
    Open

                  infos.first.type,
                  infos.count,
                  infos.sum(&:time).round(5)

    Feature Envy occurs when a code fragment references another object more often than it references itself, or when several clients do the same series of manipulations on a particular type of object.

    Feature Envy reduces the code's ability to communicate intent: code that "belongs" on one class but which is located in another can be hard to find, and may upset the "System of Names" in the host class.

    Feature Envy also affects the design's flexibility: A code fragment that is in the wrong class creates couplings that may not be natural within the application's domain, and creates a loss of cohesion in the unwilling host class.

    Feature Envy often arises because it must manipulate other objects (usually its arguments) to get them into a useful form, and one force preventing them (the arguments) doing this themselves is that the common knowledge lives outside the arguments, or the arguments are of too basic a type to justify extending that type. Therefore there must be something which 'knows' about the contents or purposes of the arguments. That thing would have to be more than just a basic type, because the basic types are either containers which don't know about their contents, or they are single objects which can't capture their relationship with their fellows of the same type. So, this thing with the extra knowledge should be reified into a class, and the utility method will most likely belong there.

    Example

    Running Reek on:

    class Warehouse
      def sale_price(item)
        (item.price - item.rebate) * @vat
      end
    end

    would report:

    Warehouse#total_price refers to item more than self (FeatureEnvy)

    since this:

    (item.price - item.rebate)

    belongs to the Item class, not the Warehouse.

    Possible Strong Parameters Bypass in ActionPack
    Open

        actionpack (5.2.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8164

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

    Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

    Severity
    Category
    Status
    Source
    Language