Sign upLogin

jjeremydiaz/OpenHouse

View on GitHub
Star

Showing 815 of 815 total issues

Similar blocks of code found in 2 locations. Consider refactoring.
Open

When /^"(.*)" upload another picture as "(.*)"/ do |name, type|
    user = User.find_by(first_name: name)
    # should be a permanent cloudinary id
    id = "demo/image/upload/8jsb1xofxdqamu2rzwt9q.jpg"
    if type == "profile_picture"
Severity: Minor
Found in features/step_definitions/image_steps.rb and 1 other location - About 30 mins to fix
features/step_definitions/image_steps.rb on lines 29..40

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 33.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Unescaped model attribute
Open

  curr_loc_lng = '#{@curr_loc_lng}';
Severity: Minor
Found in app/views/users/show.html.haml by brakeman

Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

See the Ruby Security Guide for more details.

Query Parameters and Cookies

ERB example:

<%= params[:query].html_safe %>

Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

Unescaped parameter value near line 3: params[:query]

By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

For example:

<%= raw some_method(cookie[:name]) %>

This raises a warning like:

Unescaped cookie value near line 5: some_method(cookies[:oreo])

However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

Model Attributes

Because (many) models come from database values, Brakeman mistrusts them by default.

For example, if @user is an instance of a model set in an action like

def set_user
  @user = User.first
end

and there is a view with

<%= @user.name.html_safe %>

Brakeman will raise a warning like

Unescaped model attribute near line 3: User.first.name

If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

Loofah 2.1.1 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.1.1)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://github.com/flavorjones/loofah/issues/144

Unescaped model attribute
Open

  curr_loc_lat = '#{@curr_loc_lat}';
Severity: Minor
Found in app/views/users/show.html.haml by brakeman

Cross-site scripting (or XSS) is #3 on the 2013 [OWASP Top Ten](https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS\)) web security risks and it pops up nearly everywhere.

XSS occurs when a user-controlled value is displayed on a web page without properly escaping it, allowing someone to inject Javascript or HTML into the page which will be interpreted and executed by the browser..

In Rails 2.x, values need to be explicitly escaped (e.g., by using the h method). Since Rails 3.x, auto-escaping in views is enabled by default. However, one can still use the raw or html_safe methods to output a value directly.

See the Ruby Security Guide for more details.

Query Parameters and Cookies

ERB example:

<%= params[:query].html_safe %>

Brakeman looks for several situations that can allow XSS. The simplest is like the example above: a value from the params or cookies is being directly output to a view. In such cases, it will issue a warning like:

Unescaped parameter value near line 3: params[:query]

By default, Brakeman will also warn when a parameter or cookie value is used as an argument to a method, the result of which is output unescaped to a view.

For example:

<%= raw some_method(cookie[:name]) %>

This raises a warning like:

Unescaped cookie value near line 5: some_method(cookies[:oreo])

However, the confidence level for this warning will be weak, because it is not directly outputting the cookie value.

Some methods are known to Brakeman to either be dangerous (link_to is one) or safe (escape_once). Users can specify safe methods using the --safe-methods option. Alternatively, Brakeman can be set to only warn when values are used directly with the --report-direct option.

Model Attributes

Because (many) models come from database values, Brakeman mistrusts them by default.

For example, if @user is an instance of a model set in an action like

def set_user
  @user = User.first
end

and there is a view with

<%= @user.name.html_safe %>

Brakeman will raise a warning like

Unescaped model attribute near line 3: User.first.name

If you trust all your data (although you probably shouldn't), this can be disabled with --ignore-model-output.

Method set_defaults has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
Open

    def set_defaults
        self.available_time_start ||= '00:00'
        self.available_time_end ||= '00:00'
        self.home_street_address ||= ''
        self.home_city ||= ''
Severity: Minor
Found in app/models/user.rb - About 25 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

Then /^(?:|I )should not see \/([^\/]*)\/$/ do |regexp|
  regexp = Regexp.new(regexp)

  if page.respond_to? :should
    page.should have_no_xpath('//*', :text => regexp)
Severity: Minor
Found in features/step_definitions/web_steps.rb and 1 other location - About 20 mins to fix
features/step_definitions/web_steps.rb on lines 113..119

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 27.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

Then /^(?:|I )should see \/([^\/]*)\/$/ do |regexp|
  regexp = Regexp.new(regexp)

  if page.respond_to? :should
    page.should have_xpath('//*', :text => regexp)
Severity: Minor
Found in features/step_definitions/web_steps.rb and 1 other location - About 20 mins to fix
features/step_definitions/web_steps.rb on lines 131..137

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 27.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Line is too long. [110/80]
Open

vendored_cucumber_bin = Dir["#{File.dirname(__FILE__)}/../vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
Severity: Minor
Found in script/cucumber by rubocop

Missing top-level class documentation comment.
Open

class Conversation < ActiveRecord::Base
Severity: Minor
Found in app/models/conversation.rb by rubocop

This cop checks for missing top-level documentation of classes and modules. Classes with no body are exempt from the check and so are namespace modules - modules that have nothing in their bodies except classes, other modules, or constant definitions.

The documentation requirement is annulled if the class or module has a "#:nodoc:" comment next to it. Likewise, "#:nodoc: all" does the same for all its children.

Example:

# bad
class Person
  # ...
end

# good
# Description/Explanation of Person class
class Person
  # ...
end

Space inside { missing.
Open

    validates :available_time_end, format: {with: /\A\d\d:\d\d\z/ }
Severity: Minor
Found in app/models/user.rb by rubocop

Checks that braces used for hash literals have or don't have surrounding space depending on configuration.

Example: EnforcedStyle: space

# The `space` style enforces that hash literals have
# surrounding space.

# bad
h = {a: 1, b: 2}

# good
h = { a: 1, b: 2 }

Example: EnforcedStyle: no_space

# The `no_space` style enforces that hash literals have
# no surrounding space.

# bad
h = { a: 1, b: 2 }

# good
h = {a: 1, b: 2}

Example: EnforcedStyle: compact

# The `compact` style normally requires a space inside
# hash braces, with the exception that successive left
# braces or right braces are collapsed together in nested hashes.

# bad
h = { a: { b: 2 } }

# good
h = { a: { b: 2 }}

Redundant self detected.
Open

        self.home_street_address + " " + self.home_city + " " + self.home_state + " " + self.home_zip_code
Severity: Minor
Found in app/models/user.rb by rubocop

This cop checks for redundant uses of self.

The usage of self is only needed when:

  • Sending a message to same object with zero arguments in presence of a method name clash with an argument or a local variable.

  • Calling an attribute writer to prevent an local variable assignment.

Note, with using explicit self you can only send messages with public or protected scope, you cannot send private messages this way.

Note we allow uses of self with operators because it would be awkward otherwise.

Example:

# bad
def foo(bar)
  self.baz
end

# good
def foo(bar)
  self.bar  # Resolves name clash with the argument.
end

def foo
  bar = 1
  self.bar  # Resolves name clash with the local variable.
end

def foo
  %w[x y z].select do |bar|
    self.bar == bar  # Resolves name clash with argument of the block.
  end
end

Surrounding space missing for operator +.
Open

        (((start_hour-1)%12)+1).to_s + range[2..4] + ((start_hour%24)<12?' a.m. - ':' p.m. - ') + (((end_hour-1)%12)+1).to_s + range[8..10] + ((end_hour%24)<12?' a.m.':' p.m.')
Severity: Minor
Found in app/helpers/time_helper.rb by rubocop

Checks that operators have space around them, except for ** which should not have surrounding space.

Example:

# bad
total = 3*4
"apple"+"juice"
my_number = 38/4
a ** b

# good
total = 3 * 4
"apple" + "juice"
my_number = 38 / 4
a**b

Surrounding space missing for operator ?.
Open

        (((start_hour-1)%12)+1).to_s + range[2..4] + ((start_hour%24)<12?' a.m. - ':' p.m. - ') + (((end_hour-1)%12)+1).to_s + range[8..10] + ((end_hour%24)<12?' a.m.':' p.m.')
Severity: Minor
Found in app/helpers/time_helper.rb by rubocop

Checks that operators have space around them, except for ** which should not have surrounding space.

Example:

# bad
total = 3*4
"apple"+"juice"
my_number = 38/4
a ** b

# good
total = 3 * 4
"apple" + "juice"
my_number = 38 / 4
a**b

Use 2 (not 4) spaces for indentation.
Open

        @user = User.create(user_params)
Severity: Minor
Found in app/controllers/users_controller.rb by rubocop

This cops checks for indentation that doesn't use the specified number of spaces.

See also the IndentationConsistency cop which is the companion to this one.

Example:

# bad
class A
 def test
  puts 'hello'
 end
end

# good
class A
  def test
    puts 'hello'
  end
end

Example: IgnoredPatterns: ['^\s*module']

# bad
module A
class B
  def test
  puts 'hello'
  end
end
end

# good
module A
class B
  def test
    puts 'hello'
  end
end
end

Use 2 (not 4) spaces for indentation.
Open

        @user = current_user
Severity: Minor
Found in app/controllers/users_controller.rb by rubocop

This cops checks for indentation that doesn't use the specified number of spaces.

See also the IndentationConsistency cop which is the companion to this one.

Example:

# bad
class A
 def test
  puts 'hello'
 end
end

# good
class A
  def test
    puts 'hello'
  end
end

Example: IgnoredPatterns: ['^\s*module']

# bad
module A
class B
  def test
  puts 'hello'
  end
end
end

# good
module A
class B
  def test
    puts 'hello'
  end
end
end

Use 2 (not 4) spaces for indentation.
Open

        @user = current_user
Severity: Minor
Found in app/controllers/users_controller.rb by rubocop

This cops checks for indentation that doesn't use the specified number of spaces.

See also the IndentationConsistency cop which is the companion to this one.

Example:

# bad
class A
 def test
  puts 'hello'
 end
end

# good
class A
  def test
    puts 'hello'
  end
end

Example: IgnoredPatterns: ['^\s*module']

# bad
module A
class B
  def test
  puts 'hello'
  end
end
end

# good
module A
class B
  def test
    puts 'hello'
  end
end
end

Use 2 (not 4) spaces for indentation.
Open

        @user = current_user
Severity: Minor
Found in app/controllers/users_controller.rb by rubocop

This cops checks for indentation that doesn't use the specified number of spaces.

See also the IndentationConsistency cop which is the companion to this one.

Example:

# bad
class A
 def test
  puts 'hello'
 end
end

# good
class A
  def test
    puts 'hello'
  end
end

Example: IgnoredPatterns: ['^\s*module']

# bad
module A
class B
  def test
  puts 'hello'
  end
end
end

# good
module A
class B
  def test
    puts 'hello'
  end
end
end

Use 2 (not 4) spaces for indentation.
Open

            flash[:notice] = "Please select an image first."
Severity: Minor
Found in app/controllers/users_controller.rb by rubocop

This cops checks for indentation that doesn't use the specified number of spaces.

See also the IndentationConsistency cop which is the companion to this one.

Example:

# bad
class A
 def test
  puts 'hello'
 end
end

# good
class A
  def test
    puts 'hello'
  end
end

Example: IgnoredPatterns: ['^\s*module']

# bad
module A
class B
  def test
  puts 'hello'
  end
end
end

# good
module A
class B
  def test
    puts 'hello'
  end
end
end

Trailing whitespace detected.
Open
Severity: Minor
Found in app/models/conversation.rb by rubocop
Severity
Category
Status
Source
Language