Showing 143 of 144 total issues
Broken Access Control vulnerability in Active Job Open
activejob (4.2.10)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1
Possible XSS vulnerability in Rack Open
rack (1.6.10)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
File Content Disclosure in Action View Open
actionview (4.2.10)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3
Denial of Service Vulnerability in Action View Open
actionview (4.2.10)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
OS Command Injection in Rake Open
rake (12.3.0)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8130
Criticality: High
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Solution: upgrade to >= 12.3.3
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.4)- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Possible information leak / session hijack vulnerability Open
rack (1.6.10)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Open
nokogiri (1.8.2)- Read upRead up
- Exclude checks
Advisory: CVE-2018-14404
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Solution: upgrade to >= 1.8.5
Loofah XSS Vulnerability Open
loofah (2.2.2)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16468
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/154
Solution: upgrade to >= 2.2.3
Revert libxml2 behavior in Nokogiri gem that could cause XSS Open
nokogiri (1.8.2)- Read upRead up
- Exclude checks
Advisory: CVE-2018-8048
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Solution: upgrade to >= 1.8.3
Potential remote code execution of user-provided local names in ActionView Open
actionview (4.2.10)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8163
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
Solution: upgrade to >= 4.2.11.2
Improper Certificate Validation in oauth ruby gem Open
oauth (0.5.4)- Read upRead up
- Exclude checks
Advisory: CVE-2016-11086
Criticality: High
URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2
Solution: upgrade to >= 0.5.5
Complex method User::from_omniauth (25.8) Open
def self.from_omniauth(auth)
auth_token = Authorization.where(provider: auth.provider, uid: auth.uid).first
# If we have a token without an associated user (user canceled signup), we delete it and the user has to sign up
if (auth_token && auth_token.user.nil?)
auth_token.destroy- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Complex method namespace(setup)::task#admin (25.3) Open
task admin: :environment do
nick = ENV["user"] || begin
puts "Username:"
STDIN.gets.strip
end- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Complex method Radar::Rss#next_events (25.1) Open
def next_events
feed = Feedjira::Feed.parse open(@radar_setting.url, &:read)
entries = feed.entries.sort_by(&:published)
if @radar_setting.last_processed.nil?
entries = entries[1..4]- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Method is_for_user? has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def is_for_user?(user)
return true unless user
# Let us be a little more verbose than the old code
# !((self.event.tag_list & user.hate_list).length > 0 && self.users.exclude?(user))
hated_tags_event = (self.event.tag_list & user.hate_list)- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method all has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def all
# If there is no token, but we are currently logged in
if current_user
@auth = Authorization.create_authorization(request.env["omniauth.auth"], current_user)- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Complex method Radar::Twitter#tweets (24.8) Open
def tweets(client, page_id = nil)
messages = if page_id.nil?
client.user_timeline(twitter_handle, exclude_replies: true)
else
client.user_timeline(twitter_handle, exclude_replies: true, max_id: page_id)- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Complex method column#content (23.2) Open
column :content do |entry|
if entry.content
(
"<p><strong>#{entry.content[:title]}</strong></p>" +
"#{sanitize entry.content[:description]}" +- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool
Complex method ApplicationHelper#collect_links (23.1) Open
def collect_links(item)
links = []
if item.url.present?
links << { url: item.url,- Read upRead up
- Exclude checks
Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.
You can read more about ABC metrics or the flog tool