Mass assignment is not restricted using attr_accessible Open
class TopicType < ActiveRecord::Base
- Read upRead up
- Exclude checks
This warning comes up if a model does not limit what attributes can be set through mass assignment.
In particular, this check looks for attr_accessible
inside model definitions. If it is not found, this warning will be issued.
Brakeman also warns on use of attr_protected
- especially since it was found to be vulnerable to bypass. Warnings for mass assignment on models using attr_protected
will be reported, but at a lower confidence level.
Note that disabling mass assignment globally will suppress these warnings.
Insufficient validation for 'name' using /^[^\'\":<>&,\/\\?.]*$/. Use \A and \z as anchors Open
validates_format_of :name, with: /^[^\'\":<>\&,\/\\\?\.]*$/, message: lambda { I18n.t('topic_type_model.invalid_chars', invalid_chars: ": \', \\, /, &, \", ?, <, >, and .") }
- Read upRead up
- Exclude checks
Calls to validates_format_of ..., :with => //
which do not use \A
and \z
as anchors will cause this warning. Using ^
and $
is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See the Ruby Security Guide for details.
TODO found Open
# TODO: might want to reconsider using a subselect here
- Exclude checks
TODO found Open
# TODO: globalize stuff, uncomment later
- Exclude checks
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
scope :from_urlified_name, lambda { |urlified_name| where('LOWER(name) = ?', urlified_name.downcase.tr('_', ' ')) }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end
Avoid rescuing without specifying an error class. Open
rescue
- Read upRead up
- Exclude checks
This cop checks for rescuing StandardError
. There are two supported
styles implicit
and explicit
. This cop will not register an offense
if any error other than StandardError
is specified.
Example: EnforcedStyle: implicit
# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.
# bad
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Example: EnforcedStyle: explicit (default)
# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.
# bad
begin
foo
rescue
bar
end
# good
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
end
Use the -> { ... }
lambda literal syntax for single line lambdas. Open
validates_format_of :name, with: /^[^\'\":<>\&,\/\\\?\.]*$/, message: lambda { I18n.t('topic_type_model.invalid_chars', invalid_chars: ": \', \\, /, &, \", ?, <, >, and .") }
- Read upRead up
- Exclude checks
This cop (by default) checks for uses of the lambda literal syntax for single line lambdas, and the method call syntax for multiline lambdas. It is configurable to enforce one of the styles for both single line and multiline lambdas as well.
Example: EnforcedStyle: linecountdependent (default)
# bad
f = lambda { |x| x }
f = ->(x) do
x
end
# good
f = ->(x) { x }
f = lambda do |x|
x
end
Example: EnforcedStyle: lambda
# bad
f = ->(x) { x }
f = ->(x) do
x
end
# good
f = lambda { |x| x }
f = lambda do |x|
x
end
Example: EnforcedStyle: literal
# bad
f = lambda { |x| x }
f = lambda do |x|
x
end
# good
f = ->(x) { x }
f = ->(x) do
x
end
Use %r
around regular expression. Open
validates_format_of :name, with: /^[^\'\":<>\&,\/\\\?\.]*$/, message: lambda { I18n.t('topic_type_model.invalid_chars', invalid_chars: ": \', \\, /, &, \", ?, <, >, and .") }
- Read upRead up
- Exclude checks
This cop enforces using // or %r around regular expressions.
Example: EnforcedStyle: slashes (default)
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = %r{
foo
(bar)
(baz)
}x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = /
foo
(bar)
(baz)
/x
Example: EnforcedStyle: percent_r
# bad
snake_case = /^[\dA-Z_]+$/
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = %r{^[\dA-Z_]+$}
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: EnforcedStyle: mixed
# bad
snake_case = %r{^[\dA-Z_]+$}
# bad
regex = /
foo
(bar)
(baz)
/x
# good
snake_case = /^[\dA-Z_]+$/
# good
regex = %r{
foo
(bar)
(baz)
}x
Example: AllowInnerSlashes: false (default)
# If `false`, the cop will always recommend using `%r` if one or more
# slashes are found in the regexp string.
# bad
x =~ /home\//
# good
x =~ %r{home/}
Example: AllowInnerSlashes: true
# good
x =~ /home\//
Pass &:id
as an argument to collect
instead of a block. Open
@self_and_ancestors_ids ||= self_and_ancestors.collect { |a| a.id }
- Read upRead up
- Exclude checks
Use symbols as procs when possible.
Example:
# bad
something.map { |s| s.upcase }
# good
something.map(&:upcase)