Mass assignment is not restricted using attr_accessible Open
class Feed < ActiveRecord::Base
- Read upRead up
- Exclude checks
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible
inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of attr_protected
- especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected
will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
Use each_key
instead of keys.each
. Open
I18n.available_locales_with_labels.keys.each do |locale|
- Read upRead up
- Exclude checks
This cop checks for uses of each_key
and each_value
Hash methods.
Note: If you have an array of two-element arrays, you can put parentheses around the block arguments to indicate that you're not working with a hash, and suppress RuboCop offenses.
Example:
# bad
hash.keys.each { |k| p k }
hash.values.each { |v| p v }
hash.each { |k, _v| p k }
hash.each { |_k, v| p v }
# good
hash.each_key { |k| p k }
hash.each_value { |v| p v }
Avoid rescuing without specifying an error class. Open
rescue
- Read upRead up
- Exclude checks
This cop checks for rescuing StandardError
. There are two supported
styles implicit
and explicit
. This cop will not register an offense
if any error other than StandardError
is specified.
Example: EnforcedStyle: implicit
# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.
# bad
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Example: EnforcedStyle: explicit (default)
# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.
# bad
begin
foo
rescue
bar
end
# good
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Do not suppress exceptions. Open
rescue
- Read upRead up
- Exclude checks
This cop checks for rescue blocks with no body.
Example:
# bad
def some_method
do_something
rescue
# do nothing
end
Example:
# bad
begin
do_something
rescue
# do nothing
end
Example:
# good
def some_method
do_something
rescue
handle_exception
end
Example:
# good
begin
do_something
rescue
handle_exception
end
Redundant curly braces around a hash parameter. Open
update_attributes({
serialized_feed: entries,
last_downloaded: Time.now.utc.to_s(:db)
})
- Read upRead up
- Exclude checks
This cop checks for braces around the last parameter in a method call
if the last parameter is a hash.
It supports braces
, no_braces
and context_dependent
styles.
Example: EnforcedStyle: braces
# The `braces` style enforces braces around all method
# parameters that are hashes.
# bad
some_method(x, y, a: 1, b: 2)
# good
some_method(x, y, {a: 1, b: 2})
Example: EnforcedStyle: no_braces (default)
# The `no_braces` style checks that the last parameter doesn't
# have braces around it.
# bad
some_method(x, y, {a: 1, b: 2})
# good
some_method(x, y, a: 1, b: 2)
Example: EnforcedStyle: context_dependent
# The `context_dependent` style checks that the last parameter
# doesn't have braces around it, but requires braces if the
# second to last parameter is also a hash literal.
# bad
some_method(x, y, {a: 1, b: 2})
some_method(x, y, {a: 1, b: 2}, a: 1, b: 2)
# good
some_method(x, y, a: 1, b: 2)
some_method(x, y, {a: 1, b: 2}, {a: 1, b: 2})
URI.escape
method is obsolete and should not be used. Instead, use CGI.escape
, URI.encode_www_form
or URI.encode_www_form_component
depending on your specific use case. Open
url = escape ? URI.escape(url) : url
- Read upRead up
- Exclude checks
This cop identifies places where URI.escape
can be replaced by
CGI.escape
, URI.encode_www_form
or URI.encode_www_form_component
depending on your specific use case.
Also this cop identifies places where URI.unescape
can be replaced by
CGI.unescape
, URI.decode_www_form
or URI.decode_www_form_component
depending on your specific use case.
Example:
# bad
URI.escape('http://example.com')
URI.encode('http://example.com')
# good
CGI.escape('http://example.com')
URI.encode_www_form([['example', 'param'], ['lang', 'en']])
URI.encode_www_form(page: 10, locale: 'en')
URI.encode_www_form_component('http://example.com')
# bad
URI.unescape(enc_uri)
URI.decode(enc_uri)
# good
CGI.unescape(enc_uri)
URI.decode_www_form(enc_uri)
URI.decode_www_form_component(enc_uri)