helpyio/helpy

View on GitHub

Showing 242 of 242 total issues

simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Open

    simple_form (3.5.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16676

Criticality: Critical

URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx

Solution: upgrade to >= 5.0

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (4.2.11.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

CSRF vulnerability in OmniAuth's request phase
Open

    omniauth (1.9.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-9284

Criticality: High

URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

Solution: upgrade to >= 2.0.0

Denial of service via header parsing in Rack
Open

    rack (1.6.13)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44570

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

    activerecord (4.2.11.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-22880

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, >= 6.0.3.5, ~> 6.0.3, >= 6.1.2.1

Function ready has 309 lines of code (exceeds 25 allowed). Consider refactoring.
Open

Helpy.ready = function(){

  $('.selectpicker').selectpicker({});

  $(".best_in_place").best_in_place();
Severity: Major
Found in app/assets/javascripts/app.js - About 1 day to fix

    Similar blocks of code found in 2 locations. Consider refactoring.
    Open

                        $(".popout .btn").off().on('click', function(e){
    
                // reload the iframe content
                $widgetIframe.attr('src', helpyDomain + "/widget");
    
    
    Severity: Major
    Found in app/assets/javascripts/widget.v1.js and 1 other location - About 1 day to fix
    app/assets/javascripts/widget.v2.js on lines 101..120

    Duplicated Code

    Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

    Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

    When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

    Tuning

    This issue has a mass of 267.

    We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

    The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

    If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

    See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

    Refactorings

    Further Reading

    Similar blocks of code found in 2 locations. Consider refactoring.
    Open

                        $(".popout .btn").off().on('click', function(e){
    
                // reload the iframe content
                $widgetIframe.attr('src', helpyDomain + "/widget");
    
    
    Severity: Major
    Found in app/assets/javascripts/widget.v2.js and 1 other location - About 1 day to fix
    app/assets/javascripts/widget.v1.js on lines 101..120

    Duplicated Code

    Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

    Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

    When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

    Tuning

    This issue has a mass of 267.

    We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

    The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

    If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

    See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

    Refactorings

    Further Reading

    Regular Expression Denial of Service in Addressable templates
    Open

        addressable (2.7.0)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2021-32740

    Criticality: High

    URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

    Solution: upgrade to >= 2.8.0

    Improper neutralization of data URIs may allow XSS in Loofah
    Open

        loofah (2.7.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-23515

    Criticality: Medium

    URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

    Solution: upgrade to >= 2.19.1

    Inefficient Regular Expression Complexity in Loofah
    Open

        loofah (2.7.0)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-23514

    Criticality: High

    URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

    Solution: upgrade to >= 2.19.1

    Integer Overflow or Wraparound in libxml2 affects Nokogiri
    Open

        nokogiri (1.10.10)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory:

    Criticality: High

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

    Solution: upgrade to >= 1.13.5

    Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
    Open

        nokogiri (1.10.10)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Out-of-bounds Write in zlib affects Nokogiri
    Open

        nokogiri (1.10.10)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-25032

    Criticality: High

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

    Solution: upgrade to >= 1.13.4

    Inefficient Regular Expression Complexity in rails-html-sanitizer
    Open

        rails-html-sanitizer (1.3.0)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-23517

    Criticality: High

    URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

    Solution: upgrade to >= 1.4.4

    Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
    Open

        rails-html-sanitizer (1.3.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-23518

    Criticality: Medium

    URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

    Solution: upgrade to >= 1.4.4

    Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
    Open

        nokogiri (1.10.10)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2021-41098

    Criticality: High

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

    Solution: upgrade to >= 1.12.5

    Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
    Open

        nokogiri (1.10.10)
    Severity: Info
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-26247

    Criticality: Low

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

    Solution: upgrade to >= 1.11.0.rc4

    HTTP Request Smuggling in puma
    Open

        puma (5.5.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-24790

    Criticality: Critical

    URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9

    Solution: upgrade to ~> 4.3.12, >= 5.6.4

    Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
    Open

        rails-html-sanitizer (1.3.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-32209

    Criticality: Medium

    URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

    Solution: upgrade to >= 1.4.3

    Severity
    Category
    Status
    Source
    Language