Showing 121 of 125 total issues
Denial of Service Vulnerability in Action View Open
actionview (5.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
Possible DoS vulnerability in Rack Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16470
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Solution: upgrade to >= 2.0.6
Denial of service via header parsing in Rack Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44570
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1
Possible Information Disclosure / Unintended Method Execution in Action Pack Open
actionpack (5.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2
Rectify::Form#valid? has approx 7 statements Open
def valid?(options = {})
- Read upRead up
- Exclude checks
A method with Too Many Statements
is any method that has a large number of lines.
Too Many Statements
warns about any method that has more than 5 statements. Reek's smell detector for Too Many Statements
counts +1 for every simple statement in a method and +1 for every statement within a control structure (if
, else
, case
, when
, for
, while
, until
, begin
, rescue
) but it doesn't count the control structure itself.
So the following method would score +6 in Reek's statement-counting algorithm:
def parse(arg, argv, &error)
if !(val = arg) and (argv.empty? or /\A-/ =~ (val = argv[0]))
return nil, block, nil # +1
end
opt = (val = parse_arg(val, &error))[1] # +2
val = conv_arg(*val) # +3
if opt and !arg
argv.shift # +4
else
val[0] = nil # +5
end
val # +6
end
(You might argue that the two assigments within the first @if@ should count as statements, and that perhaps the nested assignment should count as +2.)
Rectify::RSpec::DatabaseReporter::QueryStats#each refers to 'infos' more than self (maybe move it to another class?) Open
infos.first.type,
infos.count,
infos.sum(&:time).round(5)
- Read upRead up
- Exclude checks
Feature Envy occurs when a code fragment references another object more often than it references itself, or when several clients do the same series of manipulations on a particular type of object.
Feature Envy reduces the code's ability to communicate intent: code that "belongs" on one class but which is located in another can be hard to find, and may upset the "System of Names" in the host class.
Feature Envy also affects the design's flexibility: A code fragment that is in the wrong class creates couplings that may not be natural within the application's domain, and creates a loss of cohesion in the unwilling host class.
Feature Envy often arises because it must manipulate other objects (usually its arguments) to get them into a useful form, and one force preventing them (the arguments) doing this themselves is that the common knowledge lives outside the arguments, or the arguments are of too basic a type to justify extending that type. Therefore there must be something which 'knows' about the contents or purposes of the arguments. That thing would have to be more than just a basic type, because the basic types are either containers which don't know about their contents, or they are single objects which can't capture their relationship with their fellows of the same type. So, this thing with the extra knowledge should be reified into a class, and the utility method will most likely belong there.
Example
Running Reek on:
class Warehouse
def sale_price(item)
(item.price - item.rebate) * @vat
end
end
would report:
Warehouse#total_price refers to item more than self (FeatureEnvy)
since this:
(item.price - item.rebate)
belongs to the Item class, not the Warehouse.
Rectify::RSpec::DatabaseReporter::QueryInfo has no descriptive comment Open
class QueryInfo
- Read upRead up
- Exclude checks
Classes and modules are the units of reuse and release. It is therefore considered good practice to annotate every class and module with a brief comment outlining its responsibilities.
Example
Given
class Dummy
# Do things...
end
Reek would emit the following warning:
test.rb -- 1 warning:
[1]:Dummy has no descriptive comment (IrresponsibleModule)
Fixing this is simple - just an explaining comment:
# The Dummy class is responsible for ...
class Dummy
# Do things...
end
Rectify::RSpec::DatabaseReporter::QueryStats has no descriptive comment Open
class QueryStats
- Read upRead up
- Exclude checks
Classes and modules are the units of reuse and release. It is therefore considered good practice to annotate every class and module with a brief comment outlining its responsibilities.
Example
Given
class Dummy
# Do things...
end
Reek would emit the following warning:
test.rb -- 1 warning:
[1]:Dummy has no descriptive comment (IrresponsibleModule)
Fixing this is simple - just an explaining comment:
# The Dummy class is responsible for ...
class Dummy
# Do things...
end
Rectify::ControllerHelpers has no descriptive comment Open
module ControllerHelpers
- Read upRead up
- Exclude checks
Classes and modules are the units of reuse and release. It is therefore considered good practice to annotate every class and module with a brief comment outlining its responsibilities.
Example
Given
class Dummy
# Do things...
end
Reek would emit the following warning:
test.rb -- 1 warning:
[1]:Dummy has no descriptive comment (IrresponsibleModule)
Fixing this is simple - just an explaining comment:
# The Dummy class is responsible for ...
class Dummy
# Do things...
end
Rectify::Form#array_attributes_that_respond_to manually dispatches method call Open
.select { |f| f.respond_to?(message) }
- Read upRead up
- Exclude checks
Reek reports a Manual Dispatch smell if it finds source code that manually checks whether an object responds to a method before that method is called. Manual dispatch is a type of Simulated Polymorphism which leads to code that is harder to reason about, debug, and refactor.
Example
class MyManualDispatcher
attr_reader :foo
def initialize(foo)
@foo = foo
end
def call
foo.bar if foo.respond_to?(:bar)
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[9]: MyManualDispatcher manually dispatches method call (ManualDispatch)
Rectify::Presenter#respond_to_missing? manually dispatches method call Open
view_context.respond_to?(method_name, include_private)
- Read upRead up
- Exclude checks
Reek reports a Manual Dispatch smell if it finds source code that manually checks whether an object responds to a method before that method is called. Manual dispatch is a type of Simulated Polymorphism which leads to code that is harder to reason about, debug, and refactor.
Example
class MyManualDispatcher
attr_reader :foo
def initialize(foo)
@foo = foo
end
def call
foo.bar if foo.respond_to?(:bar)
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[9]: MyManualDispatcher manually dispatches method call (ManualDispatch)
Rectify::FormAttribute#collection? manually dispatches method call Open
type.respond_to?(:member_type)
- Read upRead up
- Exclude checks
Reek reports a Manual Dispatch smell if it finds source code that manually checks whether an object responds to a method before that method is called. Manual dispatch is a type of Simulated Polymorphism which leads to code that is harder to reason about, debug, and refactor.
Example
class MyManualDispatcher
attr_reader :foo
def initialize(foo)
@foo = foo
end
def call
foo.bar if foo.respond_to?(:bar)
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[9]: MyManualDispatcher manually dispatches method call (ManualDispatch)
Rectify::Command assumes too much for instance variable '@caller' Open
class Command
- Read upRead up
- Exclude checks
Classes should not assume that instance variables are set or present outside of the current class definition.
Good:
class Foo
def initialize
@bar = :foo
end
def foo?
@bar == :foo
end
end
Good as well:
class Foo
def foo?
bar == :foo
end
def bar
@bar ||= :foo
end
end
Bad:
class Foo
def go_foo!
@bar = :foo
end
def foo?
@bar == :foo
end
end
Example
Running Reek on:
class Dummy
def test
@ivar
end
end
would report:
[1]:InstanceVariableAssumption: Dummy assumes too much for instance variable @ivar
Note that this example would trigger this smell warning as well:
class Parent
def initialize(omg)
@omg = omg
end
end
class Child < Parent
def foo
@omg
end
end
The way to address the smell warning is that you should create an attr_reader
to use @omg
in the subclass and not access @omg
directly like this:
class Parent
attr_reader :omg
def initialize(omg)
@omg = omg
end
end
class Child < Parent
def foo
omg
end
end
Directly accessing instance variables is considered a smell because it breaks encapsulation and makes it harder to reason about code.
If you don't want to expose those methods as public API just make them private like this:
class Parent
def initialize(omg)
@omg = omg
end
private
attr_reader :omg
end
class Child < Parent
def foo
omg
end
end
Current Support in Reek
An instance variable must:
- be set in the constructor
- or be accessed through a method with lazy initialization / memoization.
If not, Instance Variable Assumption will be reported.
Rectify::Command#method_missing manually dispatches method call Open
if @caller.respond_to?(method_name, true)
- Read upRead up
- Exclude checks
Reek reports a Manual Dispatch smell if it finds source code that manually checks whether an object responds to a method before that method is called. Manual dispatch is a type of Simulated Polymorphism which leads to code that is harder to reason about, debug, and refactor.
Example
class MyManualDispatcher
attr_reader :foo
def initialize(foo)
@foo = foo
end
def call
foo.bar if foo.respond_to?(:bar)
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[9]: MyManualDispatcher manually dispatches method call (ManualDispatch)
Rectify::Form#attributes_that_respond_to manually dispatches method call Open
.select { |f| f.respond_to?(message) }
- Read upRead up
- Exclude checks
Reek reports a Manual Dispatch smell if it finds source code that manually checks whether an object responds to a method before that method is called. Manual dispatch is a type of Simulated Polymorphism which leads to code that is harder to reason about, debug, and refactor.
Example
class MyManualDispatcher
attr_reader :foo
def initialize(foo)
@foo = foo
end
def call
foo.bar if foo.respond_to?(:bar)
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[9]: MyManualDispatcher manually dispatches method call (ManualDispatch)
Rectify::RSpec::Helpers has no descriptive comment Open
module Helpers
- Read upRead up
- Exclude checks
Classes and modules are the units of reuse and release. It is therefore considered good practice to annotate every class and module with a brief comment outlining its responsibilities.
Example
Given
class Dummy
# Do things...
end
Reek would emit the following warning:
test.rb -- 1 warning:
[1]:Dummy has no descriptive comment (IrresponsibleModule)
Fixing this is simple - just an explaining comment:
# The Dummy class is responsible for ...
class Dummy
# Do things...
end
Rectify::BuildFormFromModel#matching_attributes manually dispatches method call Open
.select { |a| model.respond_to?(a.name) }
- Read upRead up
- Exclude checks
Reek reports a Manual Dispatch smell if it finds source code that manually checks whether an object responds to a method before that method is called. Manual dispatch is a type of Simulated Polymorphism which leads to code that is harder to reason about, debug, and refactor.
Example
class MyManualDispatcher
attr_reader :foo
def initialize(foo)
@foo = foo
end
def call
foo.bar if foo.respond_to?(:bar)
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[9]: MyManualDispatcher manually dispatches method call (ManualDispatch)
Rectify::Form#self.hash_from manually dispatches method call Open
params = params.to_unsafe_h if params.respond_to?(:to_unsafe_h)
- Read upRead up
- Exclude checks
Reek reports a Manual Dispatch smell if it finds source code that manually checks whether an object responds to a method before that method is called. Manual dispatch is a type of Simulated Polymorphism which leads to code that is harder to reason about, debug, and refactor.
Example
class MyManualDispatcher
attr_reader :foo
def initialize(foo)
@foo = foo
end
def call
foo.bar if foo.respond_to?(:bar)
end
end
Reek would emit the following warning:
test.rb -- 1 warning:
[9]: MyManualDispatcher manually dispatches method call (ManualDispatch)
Rectify::RSpec::DatabaseReporter::Reporter has no descriptive comment Open
class Reporter
- Read upRead up
- Exclude checks
Classes and modules are the units of reuse and release. It is therefore considered good practice to annotate every class and module with a brief comment outlining its responsibilities.
Example
Given
class Dummy
# Do things...
end
Reek would emit the following warning:
test.rb -- 1 warning:
[1]:Dummy has no descriptive comment (IrresponsibleModule)
Fixing this is simple - just an explaining comment:
# The Dummy class is responsible for ...
class Dummy
# Do things...
end
Rectify::Command has no descriptive comment Open
class Command
- Read upRead up
- Exclude checks
Classes and modules are the units of reuse and release. It is therefore considered good practice to annotate every class and module with a brief comment outlining its responsibilities.
Example
Given
class Dummy
# Do things...
end
Reek would emit the following warning:
test.rb -- 1 warning:
[1]:Dummy has no descriptive comment (IrresponsibleModule)
Fixing this is simple - just an explaining comment:
# The Dummy class is responsible for ...
class Dummy
# Do things...
end