Showing 91 of 91 total issues
Possible shell escape sequence injection vulnerability in Rack Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
XSS vulnerability in rails-html-sanitizer Open
rails-html-sanitizer (1.0.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3741
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Solution: upgrade to >= 1.0.4
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Possible information leak / session hijack vulnerability Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Path Traversal in Sprockets Open
sprockets (3.7.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Denial of Service Vulnerability in Action View Open
actionview (5.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
Denial of Service Vulnerability in Rack Content-Disposition parsing Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44571
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2 Open
loofah (2.0.3)
- Read upRead up
- Exclude checks
rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4 Open
rails-html-sanitizer (1.0.3)
- Read upRead up
- Exclude checks
Use ==
if you meant to do a comparison or wrap the expression in parentheses to indicate you meant to assign in a condition. Open
if spring = lockfile.specs.detect { |spec| spec.name == "spring" }
- Read upRead up
- Exclude checks
This cop checks for assignments in the conditions of if/while/until.
Example:
# bad
if some_var = true
do_something
end
Example:
# good
if some_var == true
do_something
end
Expected an assignment or function call and instead saw an expression. Open
this.App || (this.App = {});
- Read upRead up
- Exclude checks
Disallow Unused Expressions (no-unused-expressions)
An unused expression which has no effect on the state of the program indicates a logic error.
For example, n + 1;
is not a syntax error, but it might be a typing mistake where a programmer meant an assignment statement n += 1;
instead.
Rule Details
This rule aims to eliminate unused expressions which have no effect on the state of the program.
This rule does not apply to function calls or constructor calls with the new
operator, because they could have side effects on the state of the program.
var i = 0;
function increment() { i += 1; }
increment(); // return value is unused, but i changed as a side effect
var nThings = 0;
function Thing() { nThings += 1; }
new Thing(); // constructed object is unused, but nThings changed as a side effect
This rule does not apply to directives (which are in the form of literal string expressions such as "use strict";
at the beginning of a script, module, or function).
Sequence expressions (those using a comma, such as a = 1, b = 2
) are always considered unused unless their return value is assigned or used in a condition evaluation, or a function call is made with the sequence expression value.
Options
This rule, in its default state, does not require any arguments. If you would like to enable one or more of the following you may pass an object with the options set as follows:
-
allowShortCircuit
set totrue
will allow you to use short circuit evaluations in your expressions (Default:false
). -
allowTernary
set totrue
will enable you to use ternary operators in your expressions similarly to short circuit evaluations (Default:false
). -
allowTaggedTemplates
set totrue
will enable you to use tagged template literals in your expressions (Default:false
).
These options allow unused expressions only if all of the code paths either directly change the state (for example, assignment statement) or could have side effects (for example, function call).
Examples of incorrect code for the default { "allowShortCircuit": false, "allowTernary": false }
options:
/*eslint no-unused-expressions: "error"*/
0
if(0) 0
{0}
f(0), {}
a && b()
a, b()
c = a, b;
a() && function namedFunctionInExpressionContext () {f();}
(function anIncompleteIIFE () {});
injectGlobal`body{ color: red; }`
Note that one or more string expression statements (with or without semi-colons) will only be considered as unused if they are not in the beginning of a script, module, or function (alone and uninterrupted by other statements). Otherwise, they will be treated as part of a "directive prologue", a section potentially usable by JavaScript engines. This includes "strict mode" directives.
"use strict";
"use asm"
"use stricter";
"use babel"
"any other strings like this in the prologue";
Examples of correct code for the default { "allowShortCircuit": false, "allowTernary": false }
options:
/*eslint no-unused-expressions: "error"*/
{} // In this context, this is a block statement, not an object literal
{myLabel: someVar} // In this context, this is a block statement with a label and expression, not an object literal
function namedFunctionDeclaration () {}
(function aGenuineIIFE () {}());
f()
a = 0
new C
delete a.b
void a
allowShortCircuit
Examples of incorrect code for the { "allowShortCircuit": true }
option:
/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true }]*/
a || b
Examples of correct code for the { "allowShortCircuit": true }
option:
/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true }]*/
a && b()
a() || (b = c)
allowTernary
Examples of incorrect code for the { "allowTernary": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTernary": true }]*/
a ? b : 0
a ? b : c()
Examples of correct code for the { "allowTernary": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTernary": true }]*/
a ? b() : c()
a ? (b = c) : d()
allowShortCircuit and allowTernary
Examples of correct code for the { "allowShortCircuit": true, "allowTernary": true }
options:
/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true, "allowTernary": true }]*/
a ? b() || (c = d) : e()
allowTaggedTemplates
Examples of incorrect code for the { "allowTaggedTemplates": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTaggedTemplates": true }]*/
`some untagged template string`;
Examples of correct code for the { "allowTaggedTemplates": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTaggedTemplates": true }]*/
tag`some tagged template string`;
Source: http://eslint.org/docs/rules/