Showing 714 of 714 total issues
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Open
puma (5.4.0)- Read upRead up
- Exclude checks
Advisory: CVE-2021-41136
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Solution: upgrade to ~> 4.3.9, >= 5.5.1
Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer Open
rails-html-sanitizer (1.3.0)- Read upRead up
- Exclude checks
Advisory: CVE-2022-32209
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
Solution: upgrade to >= 1.4.3
JMESPath for Ruby using JSON.load instead of JSON.parse Open
jmespath (1.4.0)- Read upRead up
- Exclude checks
Advisory: CVE-2022-32511
Criticality: Critical
URL: https://github.com/jmespath/jmespath.rb/pull/55
Solution: upgrade to >= 1.6.1
Inefficient Regular Expression Complexity in rails-html-sanitizer Open
rails-html-sanitizer (1.3.0)- Read upRead up
- Exclude checks
Advisory: CVE-2022-23517
Criticality: High
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
Solution: upgrade to >= 1.4.4
Improper neutralization of data URIs may allow XSS in Loofah Open
loofah (2.10.0)- Read upRead up
- Exclude checks
Advisory: CVE-2022-23515
Criticality: Medium
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
Solution: upgrade to >= 2.19.1
XML Injection in Xerces Java affects Nokogiri Open
nokogiri (1.12.3)- Read upRead up
- Exclude checks
Advisory: CVE-2022-23437
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Solution: upgrade to >= 1.13.4
Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open
rails-html-sanitizer (1.3.0)- Read upRead up
- Exclude checks
Advisory: CVE-2022-23520
Criticality: Medium
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
Solution: upgrade to >= 1.4.4
HTTP Request Smuggling in puma Open
puma (5.4.0)- Read upRead up
- Exclude checks
Advisory: CVE-2022-24790
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Solution: upgrade to ~> 4.3.12, >= 5.6.4
Cyclomatic complexity for process_update is too high. [39/25] Open
def process_update
user.settings['notification_emails'] = merged_notification_emails if change?('notification_emails')
user.settings['interactions'] = merged_interactions if change?('interactions')
user.settings['default_privacy'] = default_privacy_preference if change?('setting_default_privacy')
user.settings['default_sensitive'] = default_sensitive_preference if change?('setting_default_sensitive')- Read upRead up
- Exclude checks
This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.
An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one. Blocks that are calls to builtin iteration methods (e.g. `ary.map{...}) also add one, others are ignored.
def each_child_node(*types) # count begins: 1
unless block_given? # unless: +1
return to_enum(__method__, *types)
children.each do |child| # each{}: +1
next unless child.is_a?(Node) # unless: +1
yield child if types.empty? || # if: +1, ||: +1
types.include?(child.type)
end
self
end # total: 6Perceived complexity for process_update is too high. [39/25] Open
def process_update
user.settings['notification_emails'] = merged_notification_emails if change?('notification_emails')
user.settings['interactions'] = merged_interactions if change?('interactions')
user.settings['default_privacy'] = default_privacy_preference if change?('setting_default_privacy')
user.settings['default_sensitive'] = default_sensitive_preference if change?('setting_default_sensitive')- Read upRead up
- Exclude checks
This cop tries to produce a complexity score that's a measure of the
complexity the reader experiences when looking at a method. For that
reason it considers when nodes as something that doesn't add as much
complexity as an if or a &&. Except if it's one of those special
case/when constructs where there's no expression after case. Then
the cop treats it as an if/elsif/elsif... and lets all the when
nodes count. In contrast to the CyclomaticComplexity cop, this cop
considers else nodes as adding complexity.
Example:
def my_method # 1
if cond # 1
case var # 2 (0.8 + 4 * 0.2, rounded)
when 1 then func_one
when 2 then func_two
when 3 then func_three
when 4..10 then func_other
end
else # 1
do_something until a && b # 2
end # ===
end # 7 complexity pointsMethod has too many lines. [71/65] Open
def initialize(account_ids, current_account_id, **options)
@account_ids = account_ids.map { |a| a.is_a?(Account) ? a.id : a.to_i }.uniq
@current_account_id = current_account_id.is_a?(Account) ? current_account_id.id : current_account_id.to_i
@following = cached[:following]- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
You can set literals you want to fold with CountAsOne.
Available are: 'array', 'hash', and 'heredoc'. Each literal
will be counted as one line regardless of its actual size.
NOTE: The ExcludedMethods configuration is deprecated and only kept
for backwards compatibility. Please use IgnoredMethods instead.
Example: CountAsOne: ['array', 'heredoc']
def m
array = [ # +1
1,
2
]
hash = { # +3
key: 'value'
}
<<~HEREDOC # +1
Heredoc
content.
HEREDOC
end # 5 pointsPerceived complexity for filter_from_home? is too high. [29/25] Open
def filter_from_home?(status, receiver_id, crutches)
return false if receiver_id == status.account_id
return true if status.reply? && (status.in_reply_to_id.nil? || status.in_reply_to_account_id.nil?)
return true if phrase_filtered?(status, receiver_id, :home)
- Read upRead up
- Exclude checks
This cop tries to produce a complexity score that's a measure of the
complexity the reader experiences when looking at a method. For that
reason it considers when nodes as something that doesn't add as much
complexity as an if or a &&. Except if it's one of those special
case/when constructs where there's no expression after case. Then
the cop treats it as an if/elsif/elsif... and lets all the when
nodes count. In contrast to the CyclomaticComplexity cop, this cop
considers else nodes as adding complexity.
Example:
def my_method # 1
if cond # 1
case var # 2 (0.8 + 4 * 0.2, rounded)
when 1 then func_one
when 2 then func_two
when 3 then func_three
when 4..10 then func_other
end
else # 1
do_something until a && b # 2
end # ===
end # 7 complexity pointsCyclomatic complexity for filter_from_home? is too high. [28/25] Open
def filter_from_home?(status, receiver_id, crutches)
return false if receiver_id == status.account_id
return true if status.reply? && (status.in_reply_to_id.nil? || status.in_reply_to_account_id.nil?)
return true if phrase_filtered?(status, receiver_id, :home)
- Read upRead up
- Exclude checks
This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.
An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one. Blocks that are calls to builtin iteration methods (e.g. `ary.map{...}) also add one, others are ignored.
def each_child_node(*types) # count begins: 1
unless block_given? # unless: +1
return to_enum(__method__, *types)
children.each do |child| # each{}: +1
next unless child.is_a?(Node) # unless: +1
yield child if types.empty? || # if: +1, ||: +1
types.include?(child.type)
end
self
end # total: 6Perceived complexity for remove_orphans is too high. [26/25] Open
def remove_orphans
progress = create_progress_bar(nil)
reclaimed_bytes = 0
removed = 0
dry_run = options[:dry_run] ? ' (DRY RUN)' : ''- Read upRead up
- Exclude checks
This cop tries to produce a complexity score that's a measure of the
complexity the reader experiences when looking at a method. For that
reason it considers when nodes as something that doesn't add as much
complexity as an if or a &&. Except if it's one of those special
case/when constructs where there's no expression after case. Then
the cop treats it as an if/elsif/elsif... and lets all the when
nodes count. In contrast to the CyclomaticComplexity cop, this cop
considers else nodes as adding complexity.
Example:
def my_method # 1
if cond # 1
case var # 2 (0.8 + 4 * 0.2, rounded)
when 1 then func_one
when 2 then func_two
when 3 then func_three
when 4..10 then func_other
end
else # 1
do_something until a && b # 2
end # ===
end # 7 complexity pointsPerceived complexity for deploy is too high. [26/25] Open
def deploy
if options[:concurrency] < 1
say('Cannot run with this concurrency setting, must be at least 1', :red)
exit(1)
end- Read upRead up
- Exclude checks
This cop tries to produce a complexity score that's a measure of the
complexity the reader experiences when looking at a method. For that
reason it considers when nodes as something that doesn't add as much
complexity as an if or a &&. Except if it's one of those special
case/when constructs where there's no expression after case. Then
the cop treats it as an if/elsif/elsif... and lets all the when
nodes count. In contrast to the CyclomaticComplexity cop, this cop
considers else nodes as adding complexity.
Example:
def my_method # 1
if cond # 1
case var # 2 (0.8 + 4 * 0.2, rounded)
when 1 then func_one
when 2 then func_two
when 3 then func_three
when 4..10 then func_other
end
else # 1
do_something until a && b # 2
end # ===
end # 7 complexity pointsPossible RCE escalation bug with Serialized Columns in Active Record Open
activerecord (6.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2022-32224
Criticality: Critical
URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1
ReDoS based DoS vulnerability in Active Support’s underscore Open
activesupport (6.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2023-22796
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
SQL Injection Vulnerability via ActiveRecord comments Open
activerecord (6.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2023-22794
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 6.0.6.1, ~> 6.0.6, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (6.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2023-22795
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (6.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2023-22792
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1