Sign upLogin

hacken-in/website

View on GitHub
Star

Showing 144 of 144 total issues

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.11.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11077

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Solution: upgrade to ~> 3.12.6, >= 4.3.5

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.8.2)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23517

Criticality: High

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

Solution: upgrade to >= 1.4.4

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.5.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Uncontrolled Recursion in Loofah
Open

    loofah (2.2.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23516

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm

Solution: upgrade to >= 2.19.1

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

    geocoder (1.4.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7981

Criticality: Critical

URL: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23

Solution: upgrade to >= 1.6.1

Devise Gem for Ruby confirmation token validation with a blank string
Open

    devise (4.4.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16109

Criticality: Medium

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Open

    devise (4.4.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5421

Criticality: Critical

URL: https://github.com/plataformatec/devise/issues/4981

Solution: upgrade to >= 4.6.0

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23518

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

Solution: upgrade to >= 1.4.4

Complex method ActiveAdminAbility#initialize (77.9)
Open

  def initialize(user)
    if user.present? && user.admin?
      can :manage, :all
    elsif user.present?
      # Achtung! Keine Blocks benutzen, sondern immer die
Severity: Minor
Found in app/models/active_admin_ability.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method CallbacksController#all (55.4)
Open

  def all

    # If there is no token, but we are currently logged in
    if current_user
      @auth = Authorization.create_authorization(request.env["omniauth.auth"], current_user)
Severity: Minor
Found in app/controllers/callbacks_controller.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method SingleEvent#<=> (51.7)
Open

  def <=>(other)
    if (self.occurrence.year != other.occurrence.year) || (self.occurrence.month != other.occurrence.month) || (self.occurrence.day != other.occurrence.day)
      # not on same day
      return self.occurrence <=> other.occurrence
    elsif self.full_day
Severity: Minor
Found in app/models/single_event.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method main#create (49.4)
Open

    def create
      create! do |success, failure|
        success.html do
          redirect_to admin_event_path(params[:event_id])
Severity: Minor
Found in app/admin/radar_settings.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Method reset_pk_sequence! has a Cognitive Complexity of 20 (exceeds 5 allowed). Consider refactoring.
Open

                def reset_pk_sequence!(table, pk = nil, sequence = nil) #:nodoc:
                    unless pk and sequence
                        default_pk, default_sequence = pk_and_sequence_for(table)

                        pk ||= default_pk
Severity: Minor
Found in config/initializers/backport_pg_10_support_to_rails_4.rb - About 2 hrs to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Complex method main#reconstruct_start_time (44.0)
Open

    def reconstruct_start_time
      params[:event]["start_time"] = Time.zone.local(
        params[:event].delete("start_time(1i)").to_i,
        params[:event].delete("start_time(2i)").to_i,
        params[:event].delete("start_time(3i)").to_i,
Severity: Minor
Found in app/admin/events.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Severity
Category
Status
Source
Language