Sign upLogin

hpham17/esential-2016

View on GitHub
Star

Showing 99 of 99 total issues

Improper Certificate Validation in oauth ruby gem
Open

    oauth (0.5.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-11086

Criticality: High

URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2

Solution: upgrade to >= 0.5.5

File Content Disclosure in Action View
Open

    actionview (4.2.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Path Traversal in Sprockets
Open

    sprockets (3.7.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3760

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k

Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

Directory traversal vulnerability in rubyzip
Open

    rubyzip (1.2.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-5946

Criticality: Critical

URL: https://github.com/rubyzip/rubyzip/issues/315

Solution: upgrade to >= 1.2.1

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

Denial of Service Vulnerability in Action View
Open

    actionview (4.2.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5419

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

Possible XSS vulnerability in Rack
Open

    rack (1.6.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

Broken Access Control vulnerability in Active Job
Open

    activejob (4.2.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16476

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

omniauth leaks authenticity token in callback params
Open

    omniauth (1.3.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-18076

Criticality: High

URL: https://github.com/omniauth/omniauth/pull/867

Solution: upgrade to >= 1.3.2

Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://github.com/flavorjones/loofah/issues/144

rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Parameter value used in file name
Open

    File.open(Rails.root.join('public', 'uploads', uploaded_io.original_filename), 'wb') do |file|
Severity: Minor
Found in app/controllers/home_controller.rb by brakeman

Using user input when accessing files (local or remote) will raise a warning in Brakeman.

For example

File.open("/tmp/#{cookie[:file]}")

will raise an error like

Cookie value used in file name near line 4: File.open("/tmp/#{cookie[:file]}")

This type of vulnerability can be used to access arbitrary files on a server (including /etc/passwd.

Unused method argument - options. If it's necessary, use _ or _options as an argument name to indicate that it won't be used. You can also write as as_json(*) if you want the method to accept any arguments but don't care about them.
Open

  def as_json(options={})
Severity: Minor
Found in app/models/community.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end

end at 52, 4 is not aligned with def at 50, 2.
Open

    end
Severity: Minor
Found in app/controllers/users/registrations_controller.rb by rubocop

This cop checks whether the end keywords of method definitions are aligned properly.

Two modes are supported through the EnforcedStyleAlignWith configuration parameter. If it's set to start_of_line (which is the default), the end shall be aligned with the start of the line where the def keyword is. If it's set to def, the end shall be aligned with the def keyword.

Example: EnforcedStyleAlignWith: startofline (default)

# bad

private def foo
            end

# good

private def foo
end

Example: EnforcedStyleAlignWith: def

# bad

private def foo
            end

# good

private def foo
        end

Unused method argument - resource. If it's necessary, use _ or _resource as an argument name to indicate that it won't be used. You can also write as after_sign_in_path_for(*) if you want the method to accept any arguments but don't care about them.
Open

  def after_sign_in_path_for(resource)
Severity: Minor
Found in app/controllers/application_controller.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end

end at 11, 12 is not aligned with content_tag(:div, message, class: "alert #{bootstrap_class_for(msg_type)} fade in") do at 8, 13 or concat(content_tag(:div, message, class: "alert #{bootstrap_class_for(msg_type)} fade in") do at 8, 6.
Open

            end)
Severity: Minor
Found in app/helpers/application_helper.rb by rubocop

This cop checks whether the end keywords are aligned properly for do end blocks.

Three modes are supported through the EnforcedStyleAlignWith configuration parameter:

start_of_block : the end shall be aligned with the start of the line where the do appeared.

start_of_line : the end shall be aligned with the start of the line where the expression started.

either (which is the default) : the end is allowed to be in either location. The autofixer will default to start_of_line.

Example: EnforcedStyleAlignWith: either (default)

# bad

foo.bar
   .each do
     baz
       end

# good

variable = lambda do |i|
  i
end

Example: EnforcedStyleAlignWith: startofblock

# bad

foo.bar
   .each do
     baz
       end

# good

foo.bar
  .each do
     baz
   end

Example: EnforcedStyleAlignWith: startofline

# bad

foo.bar
   .each do
     baz
       end

# good

foo.bar
  .each do
     baz
end

Use == if you meant to do a comparison or wrap the expression in parentheses to indicate you meant to assign in a condition.
Open

  if spring = lockfile.specs.detect { |spec| spec.name == "spring" }
Severity: Minor
Found in bin/spring by rubocop

This cop checks for assignments in the conditions of if/while/until.

Example:

# bad

if some_var = true
  do_something
end

Example:

# good

if some_var == true
  do_something
end

Unused method argument - opts. If it's necessary, use _ or _opts as an argument name to indicate that it won't be used. You can also write as flash_messages(*) if you want the method to accept any arguments but don't care about them.
Open

  def flash_messages(opts = {})
Severity: Minor
Found in app/helpers/application_helper.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end

Unused method argument - resource. If it's necessary, use _ or _resource as an argument name to indicate that it won't be used. You can also write as after_update_path_for(*) if you want the method to accept any arguments but don't care about them.
Open

  def after_update_path_for(resource)
Severity: Minor
Found in app/controllers/users/registrations_controller.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end
Severity
Category
Status
Source
Language