Showing 99 of 99 total issues
Improper Certificate Validation in oauth ruby gem Open
oauth (0.5.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-11086
Criticality: High
URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2
Solution: upgrade to >= 0.5.5
File Content Disclosure in Action View Open
actionview (4.2.7.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3
Path Traversal in Sprockets Open
sprockets (3.7.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Directory traversal vulnerability in rubyzip Open
rubyzip (1.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-5946
Criticality: Critical
URL: https://github.com/rubyzip/rubyzip/issues/315
Solution: upgrade to >= 1.2.1
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Denial of Service Vulnerability in Action View Open
actionview (4.2.7.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
Possible XSS vulnerability in Rack Open
rack (1.6.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Broken Access Control vulnerability in Active Job Open
activejob (4.2.7.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1
omniauth leaks authenticity token in callback params Open
omniauth (1.3.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-18076
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/867
Solution: upgrade to >= 1.3.2
Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2 Open
loofah (2.0.3)
- Read upRead up
- Exclude checks
rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4 Open
rails-html-sanitizer (1.0.3)
- Read upRead up
- Exclude checks
Parameter value used in file name Open
File.open(Rails.root.join('public', 'uploads', uploaded_io.original_filename), 'wb') do |file|
- Read upRead up
- Exclude checks
Using user input when accessing files (local or remote) will raise a warning in Brakeman.
For example
File.open("/tmp/#{cookie[:file]}")
will raise an error like
Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")
This type of vulnerability can be used to access arbitrary files on a server (including /etc/passwd
.
Unused method argument - options
. If it's necessary, use _
or _options
as an argument name to indicate that it won't be used. You can also write as as_json(*)
if you want the method to accept any arguments but don't care about them. Open
def as_json(options={})
- Read upRead up
- Exclude checks
This cop checks for unused method arguments.
Example:
# bad
def some_method(used, unused, _unused_but_allowed)
puts used
end
Example:
# good
def some_method(used, _unused, _unused_but_allowed)
puts used
end
end
at 52, 4 is not aligned with def
at 50, 2. Open
end
- Read upRead up
- Exclude checks
This cop checks whether the end keywords of method definitions are aligned properly.
Two modes are supported through the EnforcedStyleAlignWith configuration
parameter. If it's set to start_of_line
(which is the default), the
end
shall be aligned with the start of the line where the def
keyword is. If it's set to def
, the end
shall be aligned with the
def
keyword.
Example: EnforcedStyleAlignWith: startofline (default)
# bad
private def foo
end
# good
private def foo
end
Example: EnforcedStyleAlignWith: def
# bad
private def foo
end
# good
private def foo
end
Unused method argument - resource
. If it's necessary, use _
or _resource
as an argument name to indicate that it won't be used. You can also write as after_sign_in_path_for(*)
if you want the method to accept any arguments but don't care about them. Open
def after_sign_in_path_for(resource)
- Read upRead up
- Exclude checks
This cop checks for unused method arguments.
Example:
# bad
def some_method(used, unused, _unused_but_allowed)
puts used
end
Example:
# good
def some_method(used, _unused, _unused_but_allowed)
puts used
end
end
at 11, 12 is not aligned with content_tag(:div, message, class: "alert #{bootstrap_class_for(msg_type)} fade in") do
at 8, 13 or concat(content_tag(:div, message, class: "alert #{bootstrap_class_for(msg_type)} fade in") do
at 8, 6. Open
end)
- Read upRead up
- Exclude checks
This cop checks whether the end keywords are aligned properly for do end blocks.
Three modes are supported through the EnforcedStyleAlignWith
configuration parameter:
start_of_block
: the end
shall be aligned with the
start of the line where the do
appeared.
start_of_line
: the end
shall be aligned with the
start of the line where the expression started.
either
(which is the default) : the end
is allowed to be in either
location. The autofixer will default to start_of_line
.
Example: EnforcedStyleAlignWith: either (default)
# bad
foo.bar
.each do
baz
end
# good
variable = lambda do |i|
i
end
Example: EnforcedStyleAlignWith: startofblock
# bad
foo.bar
.each do
baz
end
# good
foo.bar
.each do
baz
end
Example: EnforcedStyleAlignWith: startofline
# bad
foo.bar
.each do
baz
end
# good
foo.bar
.each do
baz
end
Use ==
if you meant to do a comparison or wrap the expression in parentheses to indicate you meant to assign in a condition. Open
if spring = lockfile.specs.detect { |spec| spec.name == "spring" }
- Read upRead up
- Exclude checks
This cop checks for assignments in the conditions of if/while/until.
Example:
# bad
if some_var = true
do_something
end
Example:
# good
if some_var == true
do_something
end
Unused method argument - opts
. If it's necessary, use _
or _opts
as an argument name to indicate that it won't be used. You can also write as flash_messages(*)
if you want the method to accept any arguments but don't care about them. Open
def flash_messages(opts = {})
- Read upRead up
- Exclude checks
This cop checks for unused method arguments.
Example:
# bad
def some_method(used, unused, _unused_but_allowed)
puts used
end
Example:
# good
def some_method(used, _unused, _unused_but_allowed)
puts used
end
Unused method argument - resource
. If it's necessary, use _
or _resource
as an argument name to indicate that it won't be used. You can also write as after_update_path_for(*)
if you want the method to accept any arguments but don't care about them. Open
def after_update_path_for(resource)
- Read upRead up
- Exclude checks
This cop checks for unused method arguments.
Example:
# bad
def some_method(used, unused, _unused_but_allowed)
puts used
end
Example:
# good
def some_method(used, _unused, _unused_but_allowed)
puts used
end