Insufficient validation for 'xml_element_name' using /^[^\s]*$/. Use \A and \z as anchors Open
validates_format_of :xml_element_name, :xsi_type, with: /^[^\s]*$/, message: lambda { I18n.t('extended_field_model.no_spaces') }
- Read upRead up
- Exclude checks
Calls to validates_format_of ..., :with => //
which do not use \A
and \z
as anchors will cause this warning. Using ^
and $
is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See the Ruby Security Guide for details.
Insufficient validation for 'label' using /^[^\'\":<>&,\/\\?.-]*$/. Use \A and \z as anchors Open
validates_format_of :label, with: /^[^\'\":<>\&,\/\\\?\.\-]*$/, message: lambda { I18n.t('extended_field_model.invalid_chars', invalid_chars: ": \', \\, /, &, \", ?, <, >, -, and .") }
- Read upRead up
- Exclude checks
Calls to validates_format_of ..., :with => //
which do not use \A
and \z
as anchors will cause this warning. Using ^
and $
is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See the Ruby Security Guide for details.
Mass assignment is not restricted using attr_accessible Open
class ExtendedField < ActiveRecord::Base
- Read upRead up
- Exclude checks
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible
inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of attr_protected
- especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected
will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
Class has too many lines. [131/100] Open
class ExtendedField < ActiveRecord::Base
include ExtendedFieldsHelpers
# Choices/enumerations
has_many :choice_mappings, as: :field
- Read upRead up
- Exclude checks
This cop checks if the length a class exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Class ExtendedField
has 25 methods (exceeds 20 allowed). Consider refactoring. Open
class ExtendedField < ActiveRecord::Base
include ExtendedFieldsHelpers
# Choices/enumerations
has_many :choice_mappings, as: :field
Method has too many lines. [17/10] Open
def self.clauses_for_has_label_that_matches(params_key)
params_key_words = params_key.to_s.tr('_', ' ').split(' ')
match_keyword = 'LIKE'
label_sql = 'LOWER(label)'
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
TODO found Open
# TODO: might want to reconsider using subselects here
- Exclude checks
TODO found Open
# TODO: this is an error, say something meaningful
- Exclude checks
TODO found Open
# TODO: add validation that prevents adding xsi_type without xml_element_name
- Exclude checks
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
validates_exclusion_of :label, in: invalid_label_names, message: lambda { I18n.t('extended_field_model.already_used', invalid_label_names: invalid_label_names.join(', ')) }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end
Use safe navigation (&.
) instead of checking if an object exists before calling the method. Open
errors.add('label', I18n.t('extended_field_model.label_cant_have')) if label && label.strip =~ /^(form|input|script)$/i
- Read upRead up
- Exclude checks
This cop transforms usages of a method call safeguarded by a non nil
check for the variable whose method is being called to
safe navigation (&.
).
Configuration option: ConvertCodeThatCanStartToReturnNil
The default for this is false
. When configured to true
, this will
check for code in the format !foo.nil? && foo.bar
. As it is written,
the return of this code is limited to false
and whatever the return
of the method is. If this is converted to safe navigation,
foo&.bar
can start returning nil
as well as what the method
returns.
Example:
# bad
foo.bar if foo
foo.bar(param1, param2) if foo
foo.bar { |e| e.something } if foo
foo.bar(param) { |e| e.something } if foo
foo.bar if !foo.nil?
foo.bar unless !foo
foo.bar unless foo.nil?
foo && foo.bar
foo && foo.bar(param1, param2)
foo && foo.bar { |e| e.something }
foo && foo.bar(param) { |e| e.something }
# good
foo&.bar
foo&.bar(param1, param2)
foo&.bar { |e| e.something }
foo&.bar(param) { |e| e.something }
foo.nil? || foo.bar
!foo || foo.bar
# Methods that `nil` will `respond_to?` should not be converted to
# use safe navigation
foo.to_i if foo
Rename is_required?
to required?
. Open
def is_required?(controller, topic_type_id = nil)
- Read upRead up
- Exclude checks
This cop makes sure that predicates are named properly.
Example:
# bad
def is_even?(value)
end
# good
def even?(value)
end
# bad
def has_value?
end
# good
def value?
end
Use attr_writer
to define trivial writer methods. Open
def circa=(value)
- Read upRead up
- Exclude checks
This cop looks for trivial reader/writer methods, that could have been created with the attr_* family of functions automatically.
Example:
# bad
def foo
@foo
end
def bar=(val)
@bar = val
end
def self.baz
@baz
end
# good
attr_reader :foo
attr_writer :bar
class << self
attr_reader :baz
end
Rename is_a_choice?
to a_choice?
. Open
def is_a_choice?
- Read upRead up
- Exclude checks
This cop makes sure that predicates are named properly.
Example:
# bad
def is_even?(value)
end
# good
def even?(value)
end
# bad
def has_value?
end
# good
def value?
end
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
validates_format_of :label, with: /^[^\'\":<>\&,\/\\\?\.\-]*$/, message: lambda { I18n.t('extended_field_model.invalid_chars', invalid_chars: ": \', \\, /, &, \", ?, <, >, -, and .") }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end
Use safe navigation (&.
) instead of checking if an object exists before calling the method. Open
circa && circa.param_to_obj_equiv
- Read upRead up
- Exclude checks
This cop transforms usages of a method call safeguarded by a non nil
check for the variable whose method is being called to
safe navigation (&.
).
Configuration option: ConvertCodeThatCanStartToReturnNil
The default for this is false
. When configured to true
, this will
check for code in the format !foo.nil? && foo.bar
. As it is written,
the return of this code is limited to false
and whatever the return
of the method is. If this is converted to safe navigation,
foo&.bar
can start returning nil
as well as what the method
returns.
Example:
# bad
foo.bar if foo
foo.bar(param1, param2) if foo
foo.bar { |e| e.something } if foo
foo.bar(param) { |e| e.something } if foo
foo.bar if !foo.nil?
foo.bar unless !foo
foo.bar unless foo.nil?
foo && foo.bar
foo && foo.bar(param1, param2)
foo && foo.bar { |e| e.something }
foo && foo.bar(param) { |e| e.something }
# good
foo&.bar
foo&.bar(param1, param2)
foo&.bar { |e| e.something }
foo&.bar(param) { |e| e.something }
foo.nil? || foo.bar
!foo || foo.bar
# Methods that `nil` will `respond_to?` should not be converted to
# use safe navigation
foo.to_i if foo
Use attr_writer
to define trivial writer methods. Open
def base_url=(value)
- Read upRead up
- Exclude checks
This cop looks for trivial reader/writer methods, that could have been created with the attr_* family of functions automatically.
Example:
# bad
def foo
@foo
end
def bar=(val)
@bar = val
end
def self.baz
@baz
end
# good
attr_reader :foo
attr_writer :bar
class << self
attr_reader :baz
end
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
validates_format_of :xml_element_name, :xsi_type, with: /^[^\s]*$/, message: lambda { I18n.t('extended_field_model.no_spaces') }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end
Use %r
around regular expression. Open
validates_format_of :label, with: /^[^\'\":<>\&,\/\\\?\.\-]*$/, message: lambda { I18n.t('extended_field_model.invalid_chars', invalid_chars: ": \', \\, /, &, \", ?, <, >, -, and .") }
- Read upRead up
- Exclude checks
This cop enforces using // or %r around regular expressions.
Example: EnforcedStyle: slashes (default)
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = %r{
foo
(bar)
(baz)
}x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = /
foo
(bar)
(baz)
/x
Example: EnforcedStyle: percent_r
# bad
snake_case = /^[\dA-Z_]+$/
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = %r{^[\dA-Z_]+$}
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: EnforcedStyle: mixed
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: AllowInnerSlashes: false (default)
# If `false`, the cop will always recommend using `%r` if one or more
# slashes are found in the regexp string.
# bad
x =~ /home\//
# good
x =~ %r{home/}
Example: AllowInnerSlashes: true
# good
x =~ /home\//
Use attr_writer
to define trivial writer methods. Open
def topic_type=(value)
- Read upRead up
- Exclude checks
This cop looks for trivial reader/writer methods, that could have been created with the attr_* family of functions automatically.
Example:
# bad
def foo
@foo
end
def bar=(val)
@bar = val
end
def self.baz
@baz
end
# good
attr_reader :foo
attr_writer :bar
class << self
attr_reader :baz
end
Redundant else
-clause. Open
else
- Read upRead up
- Exclude checks
Checks for empty else-clauses, possibly including comments and/or an
explicit nil
depending on the EnforcedStyle.
Example: EnforcedStyle: empty
# warn only on empty else
# bad
if condition
statement
else
end
# good
if condition
statement
else
nil
end
# good
if condition
statement
else
statement
end
# good
if condition
statement
end
Example: EnforcedStyle: nil
# warn on else with nil in it
# bad
if condition
statement
else
nil
end
# good
if condition
statement
else
end
# good
if condition
statement
else
statement
end
# good
if condition
statement
end
Example: EnforcedStyle: both (default)
# warn on empty else and else with nil in it
# bad
if condition
statement
else
nil
end
# bad
if condition
statement
else
end
# good
if condition
statement
else
statement
end
# good
if condition
statement
end