Showing 52 of 52 total issues
i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS Open
i18n (0.7.0)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2014-10077
URL: https://github.com/svenfuchs/i18n/pull/289
Solution: upgrade to >= 0.8.0
Command injection in ruby-git Open
git (1.3.0)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2022-25648
Criticality: Critical
URL: https://github.com/ruby-git/ruby-git/pull/569
Solution: upgrade to >= 1.11.0
Block has too many lines. [103/25] Open
namespace :sidekiq do
namespace :service do
sidekiq_config_file = File.join('config', 'sidekiq.yml')
sidekiq_config_file = File.expand_path(sidekiq_config_file)
if File.exist? sidekiq_config_file
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.
Block has too many lines. [50/25] Open
namespace :service do
sidekiq_config_file = File.join('config', 'sidekiq.yml')
sidekiq_config_file = File.expand_path(sidekiq_config_file)
if File.exist? sidekiq_config_file
sidekiq_config = YAML.load(File.read(sidekiq_config_file))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.
Block has too many lines. [45/25] Open
namespace :dpn do
namespace :sync do
desc "DPN - fetch bag meta-data from remote nodes"
task :bags do
DPN::Workers::SyncWorker.perform_async "DPN::Workers::SyncBags"
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.
Block has too many lines. [43/25] Open
namespace :sync do
desc "DPN - fetch bag meta-data from remote nodes"
task :bags do
DPN::Workers::SyncWorker.perform_async "DPN::Workers::SyncBags"
end
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.
Path traversal is possible via backslash characters on Windows. Open
rack-protection (1.5.3)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2018-7212
URL: https://github.com/sinatra/sinatra/pull/1379
Solution: upgrade to >= 2.0.1, ~> 1.5.4
Possible information leak / session hijack vulnerability Open
rack (1.6.5)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Possible XSS vulnerability in Rack Open
rack (1.6.5)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.2)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Possible arbitrary path traversal and file access via yard server
Open
yard (0.9.12)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory:
URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
Solution: upgrade to >= 0.9.20
rack-protection gem timing attack vulnerability when validating CSRF token Open
rack-protection (1.5.3)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2018-1000119
Criticality: Medium
URL: https://github.com/sinatra/rack-protection/pull/98
Solution: upgrade to ~> 1.5.5, >= 2.0.0
Arbitrary path traversal and file access via yard server
Open
yard (0.9.12)
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
Advisory: CVE-2019-1020001
Criticality: High
URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
Solution: upgrade to >= 0.9.20
Method os_execute
has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def os_execute(command)
status, stdout, stderr = systemu(command)
status.exitstatus.zero? ? stdout : raise(stderr)
rescue
msg = ["Command failed to execute: #{command}"]
- Read upRead up
- Create a ticketCreate a ticket
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Prefer using YAML.safe_load
over YAML.load
. Open
sidekiq_config = YAML.load(File.read(sidekiq_config_file))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.
Example:
# bad
YAML.load("--- foo")
# good
YAML.safe_load("--- foo")
YAML.dump("foo")
Use __dir__
to get an absolute path to the current file's directory. Open
cwd = File.expand_path(File.dirname(__FILE__))
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks for places where the #__dir__
method can replace more
complex constructs to retrieve a canonicalized absolute path to the
current file.
Example:
# bad
path = File.expand_path(File.dirname(__FILE__))
# bad
path = File.dirname(File.realpath(__FILE__))
# good
path = __dir__
Avoid rescuing without specifying an error class. Open
rescue
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks for rescuing StandardError
. There are two supported
styles implicit
and explicit
. This cop will not register an offense
if any error other than StandardError
is specified.
Example: EnforcedStyle: implicit
# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.
# bad
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Example: EnforcedStyle: explicit (default)
# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.
# bad
begin
foo
rescue
bar
end
# good
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Avoid rescuing without specifying an error class. Open
rescue
- Read upRead up
- Create a ticketCreate a ticket
- Exclude checks
This cop checks for rescuing StandardError
. There are two supported
styles implicit
and explicit
. This cop will not register an offense
if any error other than StandardError
is specified.
Example: EnforcedStyle: implicit
# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.
# bad
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Example: EnforcedStyle: explicit (default)
# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.
# bad
begin
foo
rescue
bar
end
# good
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end