Showing 98 of 98 total issues
Possible command injection Open
system(cmd)- Read upRead up
- Exclude checks
Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.
There are many ways to run commands in Ruby:
`ls #{params[:file]}`
system("ls #{params[:dir]}")
exec("md5sum #{params[:input]}")Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.
See the Ruby Security Guide for details.
Similar blocks of code found in 2 locations. Consider refactoring. Open
def destroy
@app = App.find_by!(id: params[:app_id], server: params[:server_id])
@domain = @app.domains.find(params[:id])
DeleteDomainJob.perform_later(@app, @domain.name) if @domain.destroy- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 29.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Similar blocks of code found in 2 locations. Consider refactoring. Open
def destroy
@app = App.find_by!(id: params[:app_id], server: params[:server_id])
@env_var = @app.env_vars.find(params[:id])
DeleteEnvVarJob.perform_later(@app, @env_var.key) if @env_var.destroy- Read upRead up
Duplicated Code
Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:
Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.
When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).
Tuning
This issue has a mass of 29.
We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.
The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.
If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.
See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.
Refactorings
- Extract Method
- Extract Class
- Form Template Method
- Introduce Null Object
- Pull Up Method
- Pull Up Field
- Substitute Algorithm
Further Reading
- Don't Repeat Yourself on the C2 Wiki
- Duplicated Code on SourceMaking
- Refactoring: Improving the Design of Existing Code by Martin Fowler. Duplicated Code, p76
Unused block argument - success. You can omit all the arguments if you don't care about them. Open
channel.exec install_dokku do |_, success|- Read upRead up
- Exclude checks
This cop checks for unused block arguments.
Example:
# bad
do_something do |used, unused|
puts used
end
do_something do |bar|
puts :foo
end
define_method(:foo) do |bar|
puts :baz
endExample:
#good
do_something do |used, _unused|
puts used
end
do_something do
puts :foo
end
define_method(:foo) do |_bar|
puts :baz
endBroken Access Control vulnerability in Active Job Open
activejob (5.1.6)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1
Gems should be sorted in an alphabetical order within their section of the Gemfile. Gem dotenv-rails should appear before webdrivers. Open
gem "dotenv-rails", "2.2.1"- Read upRead up
- Exclude checks
Gems should be alphabetically sorted within groups.
Example:
# bad
gem 'rubocop'
gem 'rspec'
# good
gem 'rspec'
gem 'rubocop'
# good
gem 'rubocop'
gem 'rspec'
# good only if TreatCommentsAsGroupSeparators is true
# For code quality
gem 'rubocop'
# For tests
gem 'rspec'Denial of Service Vulnerability in Action View Open
actionview (5.1.6)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
File Content Disclosure in Action View Open
actionview (5.1.6)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3
Favor modifier if usage when having a single-line body. Another good alternative is the usage of control flow &&/||. Open
if data =~ /To proceed, type "#{app_name}"/- Read upRead up
- Exclude checks
Checks for if and unless statements that would fit on one line
if written as a modifier if/unless. The maximum line length is
configured in the Metrics/LineLength cop.
Example:
# bad
if condition
do_stuff(bar)
end
unless qux.empty?
Foo.do_something
end
# good
do_stuff(bar) if condition
Foo.do_something unless qux.empty?Favor modifier if usage when having a single-line body. Another good alternative is the usage of control flow &&/||. Open
if data =~ /Keyfile for initial user:/- Read upRead up
- Exclude checks
Checks for if and unless statements that would fit on one line
if written as a modifier if/unless. The maximum line length is
configured in the Metrics/LineLength cop.
Example:
# bad
if condition
do_stuff(bar)
end
unless qux.empty?
Foo.do_something
end
# good
do_stuff(bar) if condition
Foo.do_something unless qux.empty?Line is too long. [123/110] Open
"wget -O bootstrap.sh https://raw.githubusercontent.com/dokku/dokku/#{server.latest_dokku_version}/bootstrap.sh && "\- Exclude checks
Extra empty line detected at block body beginning. Open
channel.on_extended_data do |_, type, data|- Read upRead up
- Exclude checks
This cops checks if empty lines around the bodies of blocks match the configuration.
Example: EnforcedStyle: empty_lines
# good
foo do |bar|
# ...
endExample: EnforcedStyle: noemptylines (default)
# good
foo do |bar|
# ...
endFIXME found Open
- FIXME- Exclude checks
TODO found Open
TODO- Exclude checks
TODO found Open
- TODO- Exclude checks
HACK found Open
- HACK- Exclude checks
TODO found Open
TODO- Exclude checks
TODO found Open
TODO- Exclude checks