Showing 50 of 50 total issues
Denial of Service Vulnerability in Rack Multipart Parsing Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30122
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Denial of service via header parsing in Rack Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44570
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1
Denial of Service Vulnerability in Rack Content-Disposition parsing Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44571
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Use warn
instead of $stderr.puts
to allow such output to be disabled. Open
$stderr.puts e.message
- Read upRead up
- Exclude checks
This cop identifies places where $stderr.puts
can be replaced by
warn
. The latter has the advantage of easily being disabled by,
e.g. the -W0 interpreter flag, or setting $VERBOSE to nil.
Example:
# bad
$stderr.puts('hello')
# good
warn('hello')
Use warn
instead of $stderr.puts
to allow such output to be disabled. Open
$stderr.puts 'Run `bundle install` to install missing gems'
- Read upRead up
- Exclude checks
This cop identifies places where $stderr.puts
can be replaced by
warn
. The latter has the advantage of easily being disabled by,
e.g. the -W0 interpreter flag, or setting $VERBOSE to nil.
Example:
# bad
$stderr.puts('hello')
# good
warn('hello')
%w
-literals should be delimited by [
and ]
. Open
gem.authors = %w(teonimesic ggouzi)
- Read upRead up
- Exclude checks
This cop enforces the consistent usage of %
-literal delimiters.
Specify the 'default' key to set all preferred delimiters at once. You can continue to specify individual preferred delimiters to override the default.
Example:
# Style/PercentLiteralDelimiters:
# PreferredDelimiters:
# default: '[]'
# '%i': '()'
# good
%w[alpha beta] + %i(gamma delta)
# bad
%W(alpha #{beta})
# bad
%I(alpha beta)
Avoid rescuing without specifying an error class. Open
rescue
- Read upRead up
- Exclude checks
This cop checks for rescuing StandardError
. There are two supported
styles implicit
and explicit
. This cop will not register an offense
if any error other than StandardError
is specified.
Example: EnforcedStyle: implicit
# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.
# bad
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Example: EnforcedStyle: explicit (default)
# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.
# bad
begin
foo
rescue
bar
end
# good
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Avoid rescuing without specifying an error class. Open
rescue
- Read upRead up
- Exclude checks
This cop checks for rescuing StandardError
. There are two supported
styles implicit
and explicit
. This cop will not register an offense
if any error other than StandardError
is specified.
Example: EnforcedStyle: implicit
# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.
# bad
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Example: EnforcedStyle: explicit (default)
# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.
# bad
begin
foo
rescue
bar
end
# good
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Unnecessary utf-8 encoding comment. Open
# encoding: utf-8
- Exclude checks
URI.encode
method is obsolete and should not be used. Instead, use CGI.escape
, URI.encode_www_form
or URI.encode_www_form_component
depending on your specific use case. Open
search_url = YOUTUBE_SEARCH_URL + URI.encode(name)
- Read upRead up
- Exclude checks
This cop identifies places where URI.escape
can be replaced by
CGI.escape
, URI.encode_www_form
or URI.encode_www_form_component
depending on your specific use case.
Also this cop identifies places where URI.unescape
can be replaced by
CGI.unescape
, URI.decode_www_form
or URI.decode_www_form_component
depending on your specific use case.
Example:
# bad
URI.escape('http://example.com')
URI.encode('http://example.com')
# good
CGI.escape('http://example.com')
URI.encode_www_form([['example', 'param'], ['lang', 'en']])
URI.encode_www_form(page: 10, locale: 'en')
URI.encode_www_form_component('http://example.com')
# bad
URI.unescape(enc_uri)
URI.decode(enc_uri)
# good
CGI.unescape(enc_uri)
URI.decode_www_form(enc_uri)
URI.decode_www_form_component(enc_uri)