Mass assignment is not restricted using attr_accessible Open
class OaiPmhRepositorySet < ActiveRecord::Base
- Read upRead up
- Exclude checks
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible
inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of attr_protected
- especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected
will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
Insufficient validation for 'name' using /^[^\'\":<>&,\/\\?]*$/. Use \A and \z as anchors Open
with: /^[^\'\":<>\&,\/\\\?]*$/,
- Read upRead up
- Exclude checks
Calls to validates_format_of ..., :with => //
which do not use \A
and \z
as anchors will cause this warning. Using ^
and $
is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See the Ruby Security Guide for details.
Method has too many lines. [11/10] Open
def options_for_generated_sets
@options_for_generated_sets = []
return @options_for_generated_sets unless dynamic?
# because this oai_pmh_repository_set is dynamic
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Method has too many lines. [11/10] Open
def matching_specs(item)
values = []
# dynamic value should return an array of names
# static should return a string
if dynamic?
- Read upRead up
- Exclude checks
This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.
Useless assignment to variable - sets
. Open
sets += generate_dynamic_sets
- Read upRead up
- Exclude checks
This cop checks for every useless assignment to local variable in every
scope.
The basic idea for this cop was from the warning of ruby -cw
:
assigned but unused variable - foo
Currently this cop has advanced logic that detects unreferenced reassignments and properly handles varied cases such as branch, loop, rescue, ensure, etc.
Example:
# bad
def some_method
some_var = 1
do_something
end
Example:
# good
def some_method
some_var = 1
do_something(some_var)
end
The use of eval
is a serious security risk. Open
values = eval(value)
- Read upRead up
- Exclude checks
This cop checks for the use of Kernel#eval
and Binding#eval
.
Example:
# bad
eval(something)
binding.eval(something)
The use of eval
is a serious security risk. Open
eval(value).each do |string|
- Read upRead up
- Exclude checks
This cop checks for the use of Kernel#eval
and Binding#eval
.
Example:
# bad
eval(something)
binding.eval(something)
Do not use unless
with else
. Rewrite these with the positive case first. Open
unless dynamic?
sets << create_set
else
sets += generate_dynamic_sets
end
- Read upRead up
- Exclude checks
This cop looks for unless expressions with else clauses.
Example:
# bad
unless foo_bar.nil?
# do something...
else
# do a different thing...
end
# good
if foo_bar.present?
# do something...
else
# do a different thing...
end
Favor modifier if
usage when having a single-line body. Another good alternative is the usage of control flow &&
/||
. Open
if ['true', 'false'].include?(for_value)
- Read upRead up
- Exclude checks
Checks for if and unless statements that would fit on one line
if written as a modifier if/unless. The maximum line length is
configured in the Metrics/LineLength
cop.
Example:
# bad
if condition
do_stuff(bar)
end
unless qux.empty?
Foo.do_something
end
# good
do_stuff(bar) if condition
Foo.do_something unless qux.empty?
Unused method argument - item
. If it's necessary, use _
or _item
as an argument name to indicate that it won't be used. Open
def test_match_with(item, for_value)
- Read upRead up
- Exclude checks
This cop checks for unused method arguments.
Example:
# bad
def some_method(used, unused, _unused_but_allowed)
puts used
end
Example:
# good
def some_method(used, _unused, _unused_but_allowed)
puts used
end
Useless assignment to variable - set
. Open
set = GeneratedSet.new(this_set)
- Read upRead up
- Exclude checks
This cop checks for every useless assignment to local variable in every
scope.
The basic idea for this cop was from the warning of ruby -cw
:
assigned but unused variable - foo
Currently this cop has advanced logic that detects unreferenced reassignments and properly handles varied cases such as branch, loop, rescue, ensure, etc.
Example:
# bad
def some_method
some_var = 1
do_something
end
Example:
# good
def some_method
some_var = 1
do_something(some_var)
end
Use %r
around regular expression. Open
with: /^[^\'\":<>\&,\/\\\?]*$/,
- Read upRead up
- Exclude checks
This cop enforces using // or %r around regular expressions.
Example: EnforcedStyle: slashes (default)
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = %r{
foo
(bar)
(baz)
}x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = /
foo
(bar)
(baz)
/x
Example: EnforcedStyle: percent_r
# bad
snake_case = /^[\dA-Z_]+$/
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = %r{^[\dA-Z_]+$}
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: EnforcedStyle: mixed
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: AllowInnerSlashes: false (default)
# If `false`, the cop will always recommend using `%r` if one or more
# slashes are found in the regexp string.
# bad
x =~ /home\//
# good
x =~ %r{home/}
Example: AllowInnerSlashes: true
# good
x =~ /home\//
The use of eval
is a serious security risk. Open
for_value == eval(code)
- Read upRead up
- Exclude checks
This cop checks for the use of Kernel#eval
and Binding#eval
.
Example:
# bad
eval(something)
binding.eval(something)
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
message: lambda { I18n.t('oai_pmh_repository_set_model.invalid_chars', invalid_chars: "\', \\, /, &, \", ?, <, and >") }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end
Do not use unless
with else
. Rewrite these with the positive case first. Open
unless dynamic?
add_this_set_to(xml_builder)
else
dynamic_output_to(xml_builder)
end
- Read upRead up
- Exclude checks
This cop looks for unless expressions with else clauses.
Example:
# bad
unless foo_bar.nil?
# do something...
else
# do a different thing...
end
# good
if foo_bar.present?
# do something...
else
# do a different thing...
end
The use of eval
is a serious security risk. Open
for_value = eval(for_value)
- Read upRead up
- Exclude checks
This cop checks for the use of Kernel#eval
and Binding#eval
.
Example:
# bad
eval(something)
binding.eval(something)