Possible SQL injection Open
order_query = Arel.sql("#{rank_for(query)} DESC, locations.updated_at DESC")- Read upRead up
- Exclude checks
Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.
Brakeman focuses on ActiveRecord methods dealing with building SQL statements.
A basic (Rails 2.x) example looks like this:
User.first(:conditions => "username = '#{params[:username]}'")Brakeman would produce a warning like this:
Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))The safe way to do this query is to use a parameterized query:
User.first(:conditions => ["username = ?", params[:username]])Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):
username = params[:user][:name].downcase
password = params[:user][:password]
User.first.where("username = '" + username + "' AND password = '" + password + "'")This results in this kind of warning:
Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.
Search::ClassMethods#search refers to 'params' more than self (maybe move it to another class?) Open
with_email(params[:email]).
is_near(params[:location], params[:lat_lng], params[:radius])
return res unless params[:keyword] && params[:service_area]
- Read upRead up
- Exclude checks
Feature Envy occurs when a code fragment references another object more often than it references itself, or when several clients do the same series of manipulations on a particular type of object.
Feature Envy reduces the code's ability to communicate intent: code that "belongs" on one class but which is located in another can be hard to find, and may upset the "System of Names" in the host class.
Feature Envy also affects the design's flexibility: A code fragment that is in the wrong class creates couplings that may not be natural within the application's domain, and creates a loss of cohesion in the unwilling host class.
Feature Envy often arises because it must manipulate other objects (usually its arguments) to get them into a useful form, and one force preventing them (the arguments) doing this themselves is that the common knowledge lives outside the arguments, or the arguments are of too basic a type to justify extending that type. Therefore there must be something which 'knows' about the contents or purposes of the arguments. That thing would have to be more than just a basic type, because the basic types are either containers which don't know about their contents, or they are single objects which can't capture their relationship with their fellows of the same type. So, this thing with the extra knowledge should be reified into a class, and the utility method will most likely belong there.
Example
Running Reek on:
class Warehouse
def sale_price(item)
(item.price - item.rebate) * @vat
end
endwould report:
Warehouse#total_price refers to item more than self (FeatureEnvy)since this:
(item.price - item.rebate)belongs to the Item class, not the Warehouse.
Search::ClassMethods#status is controlled by argument 'param' Open
param == 'active' ? where(active: true) : where(active: false)- Read upRead up
- Exclude checks
Control Parameter is a special case of Control Couple
Example
A simple example would be the "quoted" parameter in the following method:
def write(quoted)
if quoted
write_quoted @value
else
write_unquoted @value
end
endFixing those problems is out of the scope of this document but an easy solution could be to remove the "write" method alltogether and to move the calls to "writequoted" / "writeunquoted" in the initial caller of "write".
Search::ClassMethods#search calls 'params[:keyword]' 2 times Open
return res unless params[:keyword] && params[:service_area]
res.select("locations.*, #{rank_for(params[:keyword])}")- Read upRead up
- Exclude checks
Duplication occurs when two fragments of code look nearly identical, or when two fragments of code have nearly identical effects at some conceptual level.
Reek implements a check for Duplicate Method Call.
Example
Here's a very much simplified and contrived example. The following method will report a warning:
def double_thing()
@other.thing + @other.thing
endOne quick approach to silence Reek would be to refactor the code thus:
def double_thing()
thing = @other.thing
thing + thing
endA slightly different approach would be to replace all calls of double_thing by calls to @other.double_thing:
class Other
def double_thing()
thing + thing
end
endThe approach you take will depend on balancing other factors in your code.
Search::ClassMethods#allowed_params doesn't depend on instance state (maybe move it to another class?) Open
def allowed_params(params)- Read upRead up
- Exclude checks
A Utility Function is any instance method that has no dependency on the state of the instance.
Search::ClassMethods#rank_for doesn't depend on instance state (maybe move it to another class?) Open
def rank_for(query)- Read upRead up
- Exclude checks
A Utility Function is any instance method that has no dependency on the state of the instance.
Search#nearbys has the variable name 'r' Open
r = LocationFilter.new(self.class).validated_radius(radius, 0.5)- Read upRead up
- Exclude checks
An Uncommunicative Variable Name is a variable name that doesn't communicate its intent well enough.
Poor names make it hard for the reader to build a mental picture of what's going on in the code. They can also be mis-interpreted; and they hurt the flow of reading, because the reader must slow down to interpret the names.