Showing 87 of 91 total issues
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Loofah XSS Vulnerability Open
loofah (2.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-15587
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/171
Solution: upgrade to >= 2.3.1
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Directory traversal in Rack::Directory app bundled with Rack Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open
nokogiri (1.8.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4
Class Form
has 24 methods (exceeds 20 allowed). Consider refactoring. Open
class Form
include Virtus.model
include ActiveModel::Validations
attr_reader :context
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (5.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible XSS vulnerability in Rack Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Possible DoS vulnerability in Rack Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16470
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Solution: upgrade to >= 2.0.6
Rectify::RSpec::DatabaseReporter::QueryStats#each yields 4 parameters Open
yield(
- Read upRead up
- Exclude checks
A Long Yield List occurs when a method yields a lot of arguments to the block it gets passed.
Example
class Dummy
def yields_a_lot(foo,bar,baz,fling,flung)
yield foo,bar,baz,fling,flung
end
end
Reek would report the following warning:
test.rb -- 1 warning:
[4]:Dummy#yields_a_lot yields 5 parameters (LongYieldList)
A common solution to this problem would be the introduction of parameter objects.
Rectify::StubForm#respond_to_missing? has boolean parameter '_include_private' Open
def respond_to_missing?(method_name, _include_private = false)
- Read upRead up
- Exclude checks
Boolean Parameter
is a special case of Control Couple
, where a method parameter is defaulted to true or false. A Boolean Parameter effectively permits a method's caller to decide which execution path to take. This is a case of bad cohesion. You're creating a dependency between methods that is not really necessary, thus increasing coupling.
Example
Given
class Dummy
def hit_the_switch(switch = true)
if switch
puts 'Hitting the switch'
# do other things...
else
puts 'Not hitting the switch'
# do other things...
end
end
end
Reek would emit the following warning:
test.rb -- 3 warnings:
[1]:Dummy#hit_the_switch has boolean parameter 'switch' (BooleanParameter)
[2]:Dummy#hit_the_switch is controlled by argument switch (ControlParameter)
Note that both smells are reported, Boolean Parameter
and Control Parameter
.
Getting rid of the smell
This is highly dependent on your exact architecture, but looking at the example above what you could do is:
- Move everything in the
if
branch into a separate method - Move everything in the
else
branch into a separate method - Get rid of the
hit_the_switch
method alltogether - Make the decision what method to call in the initial caller of
hit_the_switch
Loofah XSS Vulnerability Open
loofah (2.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16468
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/154
Solution: upgrade to >= 2.2.3
Possible information leak / session hijack vulnerability Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Rectify::Command#respond_to_missing? has boolean parameter 'include_private' Open
def respond_to_missing?(method_name, include_private = false)
- Read upRead up
- Exclude checks
Boolean Parameter
is a special case of Control Couple
, where a method parameter is defaulted to true or false. A Boolean Parameter effectively permits a method's caller to decide which execution path to take. This is a case of bad cohesion. You're creating a dependency between methods that is not really necessary, thus increasing coupling.
Example
Given
class Dummy
def hit_the_switch(switch = true)
if switch
puts 'Hitting the switch'
# do other things...
else
puts 'Not hitting the switch'
# do other things...
end
end
end
Reek would emit the following warning:
test.rb -- 3 warnings:
[1]:Dummy#hit_the_switch has boolean parameter 'switch' (BooleanParameter)
[2]:Dummy#hit_the_switch is controlled by argument switch (ControlParameter)
Note that both smells are reported, Boolean Parameter
and Control Parameter
.
Getting rid of the smell
This is highly dependent on your exact architecture, but looking at the example above what you could do is:
- Move everything in the
if
branch into a separate method - Move everything in the
else
branch into a separate method - Get rid of the
hit_the_switch
method alltogether - Make the decision what method to call in the initial caller of
hit_the_switch
Rectify::RSpec::DatabaseReporter::QueryStats#add has 4 parameters Open
def add(example, start, finish, query)
- Read upRead up
- Exclude checks
A Long Parameter List
occurs when a method has a lot of parameters.
Example
Given
class Dummy
def long_list(foo,bar,baz,fling,flung)
puts foo,bar,baz,fling,flung
end
end
Reek would report the following warning:
test.rb -- 1 warning:
[2]:Dummy#long_list has 5 parameters (LongParameterList)
A common solution to this problem would be the introduction of parameter objects.
Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (5.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible Strong Parameters Bypass in ActionPack Open
actionpack (5.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8164
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1