Showing 87 of 91 total issues
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open
nokogiri (1.8.5)- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Loofah XSS Vulnerability Open
loofah (2.2.2)- Read upRead up
- Exclude checks
Advisory: CVE-2019-15587
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/171
Solution: upgrade to >= 2.3.1
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open
nokogiri (1.8.5)- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open
nokogiri (1.8.5)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Directory traversal in Rack::Directory app bundled with Rack Open
rack (2.0.5)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open
nokogiri (1.8.5)- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (2.0.5)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open
nokogiri (1.8.5)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4
Class Form has 24 methods (exceeds 20 allowed). Consider refactoring. Open
class Form
include Virtus.model
include ActiveModel::Validations
attr_reader :contextPotentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (5.2.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible XSS vulnerability in Rack Open
rack (2.0.5)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Possible DoS vulnerability in Rack Open
rack (2.0.5)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16470
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Solution: upgrade to >= 2.0.6
Rectify::RSpec::DatabaseReporter::QueryStats#each yields 4 parameters Open
yield(- Read upRead up
- Exclude checks
A Long Yield List occurs when a method yields a lot of arguments to the block it gets passed.
Example
class Dummy
def yields_a_lot(foo,bar,baz,fling,flung)
yield foo,bar,baz,fling,flung
end
endReek would report the following warning:
test.rb -- 1 warning:
[4]:Dummy#yields_a_lot yields 5 parameters (LongYieldList)A common solution to this problem would be the introduction of parameter objects.
Rectify::StubForm#respond_to_missing? has boolean parameter '_include_private' Open
def respond_to_missing?(method_name, _include_private = false)- Read upRead up
- Exclude checks
Boolean Parameter is a special case of Control Couple, where a method parameter is defaulted to true or false. A Boolean Parameter effectively permits a method's caller to decide which execution path to take. This is a case of bad cohesion. You're creating a dependency between methods that is not really necessary, thus increasing coupling.
Example
Given
class Dummy
def hit_the_switch(switch = true)
if switch
puts 'Hitting the switch'
# do other things...
else
puts 'Not hitting the switch'
# do other things...
end
end
endReek would emit the following warning:
test.rb -- 3 warnings:
[1]:Dummy#hit_the_switch has boolean parameter 'switch' (BooleanParameter)
[2]:Dummy#hit_the_switch is controlled by argument switch (ControlParameter)Note that both smells are reported, Boolean Parameter and Control Parameter.
Getting rid of the smell
This is highly dependent on your exact architecture, but looking at the example above what you could do is:
- Move everything in the
ifbranch into a separate method - Move everything in the
elsebranch into a separate method - Get rid of the
hit_the_switchmethod alltogether - Make the decision what method to call in the initial caller of
hit_the_switch
Loofah XSS Vulnerability Open
loofah (2.2.2)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16468
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/154
Solution: upgrade to >= 2.2.3
Possible information leak / session hijack vulnerability Open
rack (2.0.5)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Rectify::Command#respond_to_missing? has boolean parameter 'include_private' Open
def respond_to_missing?(method_name, include_private = false)- Read upRead up
- Exclude checks
Boolean Parameter is a special case of Control Couple, where a method parameter is defaulted to true or false. A Boolean Parameter effectively permits a method's caller to decide which execution path to take. This is a case of bad cohesion. You're creating a dependency between methods that is not really necessary, thus increasing coupling.
Example
Given
class Dummy
def hit_the_switch(switch = true)
if switch
puts 'Hitting the switch'
# do other things...
else
puts 'Not hitting the switch'
# do other things...
end
end
endReek would emit the following warning:
test.rb -- 3 warnings:
[1]:Dummy#hit_the_switch has boolean parameter 'switch' (BooleanParameter)
[2]:Dummy#hit_the_switch is controlled by argument switch (ControlParameter)Note that both smells are reported, Boolean Parameter and Control Parameter.
Getting rid of the smell
This is highly dependent on your exact architecture, but looking at the example above what you could do is:
- Move everything in the
ifbranch into a separate method - Move everything in the
elsebranch into a separate method - Get rid of the
hit_the_switchmethod alltogether - Make the decision what method to call in the initial caller of
hit_the_switch
Rectify::RSpec::DatabaseReporter::QueryStats#add has 4 parameters Open
def add(example, start, finish, query)- Read upRead up
- Exclude checks
A Long Parameter List occurs when a method has a lot of parameters.
Example
Given
class Dummy
def long_list(foo,bar,baz,fling,flung)
puts foo,bar,baz,fling,flung
end
endReek would report the following warning:
test.rb -- 1 warning:
[2]:Dummy#long_list has 5 parameters (LongParameterList)A common solution to this problem would be the introduction of parameter objects.
Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (5.2.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible Strong Parameters Bypass in ActionPack Open
actionpack (5.2.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8164
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1