Sign upLogin

hacken-in/hacken-in

View on GitHub
Star

Showing 143 of 144 total issues

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Server-side request forgery in CarrierWave
Open

    carrierwave (1.2.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-21288

Criticality: Medium

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.11.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11077

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Solution: upgrade to ~> 3.12.6, >= 4.3.5

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.8.2)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

Older releases of better_errors open to Cross-Site Request Forgery attack
Open

    better_errors (2.4.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-39197

Criticality: Medium

URL: https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm

Solution: upgrade to >= 2.8.0

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

HTTP Response Splitting vulnerability in puma
Open

    puma (3.11.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-5247

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v

Solution: upgrade to ~> 3.12.4, >= 4.3.3

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23519

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

Solution: upgrade to >= 1.4.4

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

Complex method ActiveAdminAbility#initialize (77.9)
Open

  def initialize(user)
    if user.present? && user.admin?
      can :manage, :all
    elsif user.present?
      # Achtung! Keine Blocks benutzen, sondern immer die
Severity: Minor
Found in app/models/active_admin_ability.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method CallbacksController#all (55.4)
Open

  def all

    # If there is no token, but we are currently logged in
    if current_user
      @auth = Authorization.create_authorization(request.env["omniauth.auth"], current_user)
Severity: Minor
Found in app/controllers/callbacks_controller.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method SingleEvent#<=> (51.7)
Open

  def <=>(other)
    if (self.occurrence.year != other.occurrence.year) || (self.occurrence.month != other.occurrence.month) || (self.occurrence.day != other.occurrence.day)
      # not on same day
      return self.occurrence <=> other.occurrence
    elsif self.full_day
Severity: Minor
Found in app/models/single_event.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method main#create (49.4)
Open

    def create
      create! do |success, failure|
        success.html do
          redirect_to admin_event_path(params[:event_id])
Severity: Minor
Found in app/admin/radar_settings.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Method reset_pk_sequence! has a Cognitive Complexity of 20 (exceeds 5 allowed). Consider refactoring.
Open

                def reset_pk_sequence!(table, pk = nil, sequence = nil) #:nodoc:
                    unless pk and sequence
                        default_pk, default_sequence = pk_and_sequence_for(table)

                        pk ||= default_pk
Severity: Minor
Found in config/initializers/backport_pg_10_support_to_rails_4.rb - About 2 hrs to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Complex method main#reconstruct_start_time (44.0)
Open

    def reconstruct_start_time
      params[:event]["start_time"] = Time.zone.local(
        params[:event].delete("start_time(1i)").to_i,
        params[:event].delete("start_time(2i)").to_i,
        params[:event].delete("start_time(3i)").to_i,
Severity: Minor
Found in app/admin/events.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Severity
Category
Status
Source
Language