deliveroo/routemaster

View on GitHub

Showing 18 of 18 total issues

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (1.6.11)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8184

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (1.6.11)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8161

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

HTTP Response Splitting vulnerability in puma
Open

    puma (3.7.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-5247

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v

Solution: upgrade to ~> 3.12.4, >= 4.3.3

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (2.1.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-10663

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11076

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h

Solution: upgrade to ~> 3.12.5, >= 4.3.4

Keepalive thread overload/DoS in puma
Open

    puma (3.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16770

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994

Solution: upgrade to ~> 3.12.2, >= 4.3.1

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.7.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11077

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Solution: upgrade to ~> 3.12.6, >= 4.3.5

HTTP Response Splitting (Early Hints) in Puma
Open

    puma (3.7.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-5249

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

Solution: upgrade to ~> 3.12.4, >= 4.3.3

Class Batch has 28 methods (exceeds 20 allowed). Consider refactoring.
Open

    class Batch
      include Mixins::Redis
      include Mixins::Assert
      include Mixins::Log
      include Mixins::Counters
Severity: Minor
Found in routemaster/models/batch.rb - About 3 hrs to fix

    Class Subscriber has 28 methods (exceeds 20 allowed). Consider refactoring.
    Open

      class Subscriber < Routemaster::Models::Base
        TIMEOUT_RANGE = 0..3_600_000
        DEFAULT_TIMEOUT = 500
        DEFAULT_MAX_EVENTS = 100
    
    
    Severity: Minor
    Found in routemaster/models/subscriber.rb - About 3 hrs to fix

      Method has too many lines. [31/30]
      Open

            def call
              @dispatcher.batched do
                Models::Batch.gauges.each_pair do |type, data|
                  data.each_pair do |name, count|
                    @dispatcher.gauge(
      Severity: Minor
      Found in routemaster/jobs/monitor.rb by rubocop

      This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

      Method call has 31 lines of code (exceeds 25 allowed). Consider refactoring.
      Open

            def call
              @dispatcher.batched do
                Models::Batch.gauges.each_pair do |type, data|
                  data.each_pair do |name, count|
                    @dispatcher.gauge(
      Severity: Minor
      Found in routemaster/jobs/monitor.rb - About 1 hr to fix

        Method call has 26 lines of code (exceeds 25 allowed). Consider refactoring.
        Open

              def call
                trace_with_newrelic('Custom/Services/ingest') do
                  data = Services::Codec.new.dump(@event)
        
                  @topic.subscribers.each do |s|
        Severity: Minor
        Found in routemaster/services/ingest.rb - About 1 hr to fix

          Possible information leak / session hijack vulnerability
          Open

              rack (1.6.11)
          Severity: Minor
          Found in Gemfile.lock by bundler-audit

          Advisory: CVE-2019-16782

          URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

          Solution: upgrade to ~> 1.6.12, >= 2.0.8

          Method call has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
          Open

                def call
                  Services::Worker.each do |w|
                    last_at = w.last_at
                    next if last_at.nil?
                    next unless last_at <= Routemaster.now - @max_age
          Severity: Minor
          Found in routemaster/jobs/scrub_workers.rb - About 35 mins to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Method registered has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
          Open

                def self.registered(app)
                  app.helpers Helpers
          
                  app.set :parse do |format|
                    condition do
          Severity: Minor
          Found in routemaster/controllers/parser.rb - About 35 mins to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Method call has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
          Open

                def call
                  next_at = Routemaster.now + @every
                  @queue.push Models::Job.new(name: @name, run_at: @delay ? next_at : nil)
                  sleep TICK while (block_given? ? yield : true) && Routemaster.now < next_at
                end
          Severity: Minor
          Found in routemaster/services/ticker.rb - About 35 mins to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Method length has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
          Open

                def length(deadline: nil, scheduled: true, instant: true)
                  _assert(deadline.nil? || deadline.kind_of?(Integer), 'bad deadline value')
          
                  deadline ||= '+inf'
                  (scheduled ? _redis.zcount(_scheduled_key, '-inf', deadline) : 0) +
          Severity: Minor
          Found in routemaster/models/queue.rb - About 25 mins to fix

          Cognitive Complexity

          Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

          A method's cognitive complexity is based on a few simple rules:

          • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
          • Code is considered more complex for each "break in the linear flow of the code"
          • Code is considered more complex when "flow breaking structures are nested"

          Further reading

          Severity
          Category
          Status
          Source
          Language