intercity/intercity-next

View on GitHub

Showing 98 of 98 total issues

Possible command injection
Open

    system(cmd)
Severity: Minor
Found in app/models/ssh_execution.rb by brakeman

Injection is #1 on the 2010 OWASP Top Ten web security risks. Command injection occurs when shell commands unsafely include user-manipulatable values.

There are many ways to run commands in Ruby:

`ls #{params[:file]}`

system("ls #{params[:dir]}")

exec("md5sum #{params[:input]}")

Brakeman will warn on any method like these that uses user input or unsafely interpolates variables.

See the Ruby Security Guide for details.

Similar blocks of code found in 2 locations. Consider refactoring.
Open

  def destroy
    @app = App.find_by!(id: params[:app_id], server: params[:server_id])
    @domain = @app.domains.find(params[:id])
    DeleteDomainJob.perform_later(@app, @domain.name) if @domain.destroy
Severity: Minor
Found in app/controllers/domains_controller.rb and 1 other location - About 25 mins to fix
app/controllers/env_vars_controller.rb on lines 13..16

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 29.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

  def destroy
    @app = App.find_by!(id: params[:app_id], server: params[:server_id])
    @env_var = @app.env_vars.find(params[:id])
    DeleteEnvVarJob.perform_later(@app, @env_var.key) if @env_var.destroy
Severity: Minor
Found in app/controllers/env_vars_controller.rb and 1 other location - About 25 mins to fix
app/controllers/domains_controller.rb on lines 13..16

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 29.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Unused block argument - success. You can omit all the arguments if you don't care about them.
Open

        channel.exec install_dokku do |_, success|
Severity: Minor
Found in app/jobs/install_server_job.rb by rubocop

This cop checks for unused block arguments.

Example:

# bad

do_something do |used, unused|
  puts used
end

do_something do |bar|
  puts :foo
end

define_method(:foo) do |bar|
  puts :baz
end

Example:

#good

do_something do |used, _unused|
  puts used
end

do_something do
  puts :foo
end

define_method(:foo) do |_bar|
  puts :baz
end

Broken Access Control vulnerability in Active Job
Open

    activejob (5.1.6)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16476

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Gems should be sorted in an alphabetical order within their section of the Gemfile. Gem dotenv-rails should appear before webdrivers.
Open

  gem "dotenv-rails", "2.2.1"
Severity: Minor
Found in Gemfile by rubocop

Gems should be alphabetically sorted within groups.

Example:

# bad
gem 'rubocop'
gem 'rspec'

# good
gem 'rspec'
gem 'rubocop'

# good
gem 'rubocop'

gem 'rspec'

# good only if TreatCommentsAsGroupSeparators is true
# For code quality
gem 'rubocop'
# For tests
gem 'rspec'

Denial of Service Vulnerability in Action View
Open

    actionview (5.1.6)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5419

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

File Content Disclosure in Action View
Open

    actionview (5.1.6)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Favor modifier if usage when having a single-line body. Another good alternative is the usage of control flow &&/||.
Open

            if data =~ /To proceed, type "#{app_name}"/
Severity: Minor
Found in app/jobs/remove_app_job.rb by rubocop

Checks for if and unless statements that would fit on one line if written as a modifier if/unless. The maximum line length is configured in the Metrics/LineLength cop.

Example:

# bad
if condition
  do_stuff(bar)
end

unless qux.empty?
  Foo.do_something
end

# good
do_stuff(bar) if condition
Foo.do_something unless qux.empty?

Favor modifier if usage when having a single-line body. Another good alternative is the usage of control flow &&/||.
Open

            if data =~ /Keyfile for initial user:/
Severity: Minor
Found in app/jobs/update_server_job.rb by rubocop

Checks for if and unless statements that would fit on one line if written as a modifier if/unless. The maximum line length is configured in the Metrics/LineLength cop.

Example:

# bad
if condition
  do_stuff(bar)
end

unless qux.empty?
  Foo.do_something
end

# good
do_stuff(bar) if condition
Foo.do_something unless qux.empty?

Line is too long. [123/110]
Open

      "wget -O bootstrap.sh https://raw.githubusercontent.com/dokku/dokku/#{server.latest_dokku_version}/bootstrap.sh && "\
Severity: Minor
Found in app/jobs/install_server_job.rb by rubocop

Extra empty line detected at block body beginning.
Open


          channel.on_extended_data do |_, type, data|
Severity: Minor
Found in app/jobs/install_server_job.rb by rubocop

This cops checks if empty lines around the bodies of blocks match the configuration.

Example: EnforcedStyle: empty_lines

# good

foo do |bar|

  # ...

end

Example: EnforcedStyle: noemptylines (default)

# good

foo do |bar|
  # ...
end

FIXME found
Open

    - FIXME
Severity: Minor
Found in .rubocop.yml by fixme

TODO found
Open

TODO
Severity: Minor
Found in doc/deploy/ruby_on_rails.md by fixme

TODO found
Open

    - TODO
Severity: Minor
Found in .rubocop.yml by fixme

HACK found
Open

    - HACK
Severity: Minor
Found in .rubocop.yml by fixme

TODO found
Open

TODO
Severity: Minor
Found in doc/deploy/ruby_on_rails.md by fixme

TODO found
Open

TODO
Severity: Minor
Found in doc/deploy/ruby_on_rails.md by fixme
Severity
Category
Status
Source
Language