Showing 219 of 219 total issues
Remote code execution in Kramdown Open
kramdown (1.17.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-28834
Criticality: Critical
URL: https://github.com/advisories/GHSA-52p9-v744-mwjj
Solution: upgrade to >= 2.3.1
Unintended read access in kramdown gem Open
kramdown (1.17.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-14001
Criticality: Critical
URL: https://github.com/advisories/GHSA-mqm2-cgpr-p4m6
Solution: upgrade to >= 2.3.0
Regular Expression Denial of Service in Addressable templates Open
addressable (2.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-32740
Criticality: High
URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g
Solution: upgrade to >= 2.8.0
Assignment Branch Condition size for generateEventDocument is too high. [33.3/15] Open
def generateEventDocument(event)
doc = Jekyll::Document.new('', :site => @site, :collection => @collection)
doc.data['title'] = event['name']
doc.data['dateStart'] = convertDate(event['time'],event['utc_offset'])
if event['duration']
- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Method has too many lines. [17/10] Open
def getMeetUpGroupEvents(group)
maxRetryTimeout = 50
initialRetries = 5
begin
retries ||= initialRetries
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Method has too many lines. [17/10] Open
def split_string(input, length = 75, prepend = " ")
output = ""
splitLines = input.lines
splitLines.each do | line |
if line.bytesize <= length
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Assignment Branch Condition size for split_string is too high. [20.9/15] Open
def split_string(input, length = 75, prepend = " ")
output = ""
splitLines = input.lines
splitLines.each do | line |
if line.bytesize <= length
- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Method has too many lines. [15/10] Open
def generate(site)
@site = site
@collection = @site.collections["events"]
MeetupClient.configure do |config|
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Method has too many lines. [14/10] Open
def generateEventDocument(event)
doc = Jekyll::Document.new('', :site => @site, :collection => @collection)
doc.data['title'] = event['name']
doc.data['dateStart'] = convertDate(event['time'],event['utc_offset'])
if event['duration']
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Complex method MeetupFetcher::Generator#generateEventDocument (41.0) Open
def generateEventDocument(event)
doc = Jekyll::Document.new('', :site => @site, :collection => @collection)
doc.data['title'] = event['name']
doc.data['dateStart'] = convertDate(event['time'],event['utc_offset'])
if event['duration']
- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Assignment Branch Condition size for generate is too high. [18.81/15] Open
def generate(site)
@site = site
@collection = @site.collections["events"]
MeetupClient.configure do |config|
- Read upRead up
- Exclude checks
This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric
Complex method Jekyll::IcsFilter#split_string (35.2) Open
def split_string(input, length = 75, prepend = " ")
output = ""
splitLines = input.lines
splitLines.each do | line |
if line.bytesize <= length
- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Complex method MeetupFetcher::Generator#generate (26.4) Open
def generate(site)
@site = site
@collection = @site.collections["events"]
MeetupClient.configure do |config|
- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
MeetupFetcher::Generator#getMeetUpGroupEvents has approx 12 statements Open
def getMeetUpGroupEvents(group)
- Read upRead up
- Exclude checks
A method with Too Many Statements
is any method that has a large number of lines.
Too Many Statements
warns about any method that has more than 5 statements. Reek's smell detector for Too Many Statements
counts +1 for every simple statement in a method and +1 for every statement within a control structure (if
, else
, case
, when
, for
, while
, until
, begin
, rescue
) but it doesn't count the control structure itself.
So the following method would score +6 in Reek's statement-counting algorithm:
def parse(arg, argv, &error)
if !(val = arg) and (argv.empty? or /\A-/ =~ (val = argv[0]))
return nil, block, nil # +1
end
opt = (val = parse_arg(val, &error))[1] # +2
val = conv_arg(*val) # +3
if opt and !arg
argv.shift # +4
else
val[0] = nil # +5
end
val # +6
end
(You might argue that the two assigments within the first @if@ should count as statements, and that perhaps the nested assignment should count as +2.)
ReDoS based DoS vulnerability in Active Support’s underscore Open
activesupport (5.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22796
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Jekyll::IcsFilter#split_string refers to 'line' more than self (maybe move it to another class?) Open
if line.bytesize <= length
output += line
else
firstline = utf8_valid(line.byteslice(0,length))
output += firstline
- Read upRead up
- Exclude checks
Feature Envy occurs when a code fragment references another object more often than it references itself, or when several clients do the same series of manipulations on a particular type of object.
Feature Envy reduces the code's ability to communicate intent: code that "belongs" on one class but which is located in another can be hard to find, and may upset the "System of Names" in the host class.
Feature Envy also affects the design's flexibility: A code fragment that is in the wrong class creates couplings that may not be natural within the application's domain, and creates a loss of cohesion in the unwilling host class.
Feature Envy often arises because it must manipulate other objects (usually its arguments) to get them into a useful form, and one force preventing them (the arguments) doing this themselves is that the common knowledge lives outside the arguments, or the arguments are of too basic a type to justify extending that type. Therefore there must be something which 'knows' about the contents or purposes of the arguments. That thing would have to be more than just a basic type, because the basic types are either containers which don't know about their contents, or they are single objects which can't capture their relationship with their fellows of the same type. So, this thing with the extra knowledge should be reified into a class, and the utility method will most likely belong there.
Example
Running Reek on:
class Warehouse
def sale_price(item)
(item.price - item.rebate) * @vat
end
end
would report:
Warehouse#total_price refers to item more than self (FeatureEnvy)
since this:
(item.price - item.rebate)
belongs to the Item class, not the Warehouse.
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (5.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
Criticality: Critical
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Jekyll::IcsFilter#split_string has approx 11 statements Open
def split_string(input, length = 75, prepend = " ")
- Read upRead up
- Exclude checks
A method with Too Many Statements
is any method that has a large number of lines.
Too Many Statements
warns about any method that has more than 5 statements. Reek's smell detector for Too Many Statements
counts +1 for every simple statement in a method and +1 for every statement within a control structure (if
, else
, case
, when
, for
, while
, until
, begin
, rescue
) but it doesn't count the control structure itself.
So the following method would score +6 in Reek's statement-counting algorithm:
def parse(arg, argv, &error)
if !(val = arg) and (argv.empty? or /\A-/ =~ (val = argv[0]))
return nil, block, nil # +1
end
opt = (val = parse_arg(val, &error))[1] # +2
val = conv_arg(*val) # +3
if opt and !arg
argv.shift # +4
else
val[0] = nil # +5
end
val # +6
end
(You might argue that the two assigments within the first @if@ should count as statements, and that perhaps the nested assignment should count as +2.)
MeetupFetcher::Generator#generateEventDocument refers to 'event' more than self (maybe move it to another class?) Open
doc.data['title'] = event['name']
doc.data['dateStart'] = convertDate(event['time'],event['utc_offset'])
if event['duration']
doc.data['dateEnd'] = convertDate(event['time']+event['duration'],event['utc_offset'])
end
- Read upRead up
- Exclude checks
Feature Envy occurs when a code fragment references another object more often than it references itself, or when several clients do the same series of manipulations on a particular type of object.
Feature Envy reduces the code's ability to communicate intent: code that "belongs" on one class but which is located in another can be hard to find, and may upset the "System of Names" in the host class.
Feature Envy also affects the design's flexibility: A code fragment that is in the wrong class creates couplings that may not be natural within the application's domain, and creates a loss of cohesion in the unwilling host class.
Feature Envy often arises because it must manipulate other objects (usually its arguments) to get them into a useful form, and one force preventing them (the arguments) doing this themselves is that the common knowledge lives outside the arguments, or the arguments are of too basic a type to justify extending that type. Therefore there must be something which 'knows' about the contents or purposes of the arguments. That thing would have to be more than just a basic type, because the basic types are either containers which don't know about their contents, or they are single objects which can't capture their relationship with their fellows of the same type. So, this thing with the extra knowledge should be reified into a class, and the utility method will most likely belong there.
Example
Running Reek on:
class Warehouse
def sale_price(item)
(item.price - item.rebate) * @vat
end
end
would report:
Warehouse#total_price refers to item more than self (FeatureEnvy)
since this:
(item.price - item.rebate)
belongs to the Item class, not the Warehouse.