Sign upLogin

kete/kete

View on GitHub
Star
lib/item_privacy.rb

Summary

Maintainability
A
1 hr
Test Coverage

Possible SQL injection
Open

          conditions: "title != \'#{SystemSetting.no_public_version_title}\'",
Severity: Minor
Found in lib/item_privacy.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Module has too many lines. [105/100]
Open

    module InstanceMethods
      # TODO: Work out how to invoke an instance method from an included module..
      # Might need to overload self.non_versioned_columns the method
      # self.non_versioned_columns << "file_private"
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks if the length a module exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

Method has too many lines. [18/10]
Open

      def load_public!
        if public_version = latest_public_version
          without_saving_private do
            revert_to!(public_version)
          end
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

Assignment Branch Condition size for order_tags is too high. [19.47/15]
Open

      def order_tags(tags_out_of_order)
        return tags_out_of_order if raw_tag_list.blank?

        # Get the raw tag list, split, squish (removed whitespace), and add each to raw_tag_array
        # Make sure we skip if the array already has that tag name (remove any duplicates that occur)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric

Assignment Branch Condition size for rename_file is too high. [18.06/15]
Open

    def rename_file
      return unless @old_filename && @old_filename != full_filename
      if save_attachment? && File.exist?(@old_filename)
        FileUtils.rm @old_filename
      elsif File.exist?(@old_filename)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks that the ABC size of methods is not higher than the configured maximum. The ABC size is based on assignments, branches (method calls), and conditions. See http://c2.com/cgi/wiki?AbcMetric

Method has too many lines. [12/10]
Open

      def store_correct_versions_after_save
        if private?
          store_private!

          # Store the basket id from the private version for future use..
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

Method has too many lines. [11/10]
Open

      def store_private!(save_after_serialization = false)
        prepared_array =
          self.class.versioned_columns.inject([]) do |memo, k|
            memo << [k.name, send(k.name.to_sym)]
          end
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

Method has too many lines. [11/10]
Open

      def order_tags(tags_out_of_order)
        return tags_out_of_order if raw_tag_list.blank?

        # Get the raw tag list, split, squish (removed whitespace), and add each to raw_tag_array
        # Make sure we skip if the array already has that tag name (remove any duplicates that occur)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks if the length of a method exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

Cyclomatic complexity for rename_file is too high. [7/6]
Open

    def rename_file
      return unless @old_filename && @old_filename != full_filename
      if save_attachment? && File.exist?(@old_filename)
        FileUtils.rm @old_filename
      elsif File.exist?(@old_filename)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.

An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one.

Perceived complexity for rename_file is too high. [8/7]
Open

    def rename_file
      return unless @old_filename && @old_filename != full_filename
      if save_attachment? && File.exist?(@old_filename)
        FileUtils.rm @old_filename
      elsif File.exist?(@old_filename)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop tries to produce a complexity score that's a measure of the complexity the reader experiences when looking at a method. For that reason it considers when nodes as something that doesn't add as much complexity as an if or a &&. Except if it's one of those special case/when constructs where there's no expression after case. Then the cop treats it as an if/elsif/elsif... and lets all the when nodes count. In contrast to the CyclomaticComplexity cop, this cop considers else nodes as adding complexity.

Example:

def my_method                   # 1
  if cond                       # 1
    case var                    # 2 (0.8 + 4 * 0.2, rounded)
    when 1 then func_one
    when 2 then func_two
    when 3 then func_three
    when 4..10 then func_other
    end
  else                          # 1
    do_something until a && b   # 2
  end                           # ===
end                             # 7 complexity points

Method file_private= has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
Open

    def file_private=(*args)
      # File privacy can only go private => public as a public file cannot
      # be made private at a later time due to the need for previous
      # versions have file access.
      unless !force_privacy && file_private === false
Severity: Minor
Found in lib/item_privacy.rb - About 45 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Method store_correct_versions_after_save has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
Open

      def store_correct_versions_after_save
        if private?
          store_private!

          # Store the basket id from the private version for future use..
Severity: Minor
Found in lib/item_privacy.rb - About 35 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Method rename_file has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
Open

    def rename_file
      return unless @old_filename && @old_filename != full_filename
      if save_attachment? && File.exist?(@old_filename)
        FileUtils.rm @old_filename
      elsif File.exist?(@old_filename)
Severity: Minor
Found in lib/item_privacy.rb - About 35 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

TODO found
Open

      # TODO: Work out how to invoke an instance method from an included module..
Severity: Minor
Found in lib/item_privacy.rb by fixme

Rename has_private_version? to private_version?.
Open

      def has_private_version?
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop makes sure that predicates are named properly.

Example:

# bad
def is_even?(value)
end

# good
def even?(value)
end

# bad
def has_value?
end

# good
def value?
end

Prefer Object#is_a? over Object#kind_of?.
Open

        raise 'No private attributes' if private_attrs.nil? || !private_attrs.kind_of?(Array)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop enforces consistent use of Object#is_a? or Object#kind_of?.

Example: EnforcedStyle: is_a? (default)

# bad
var.kind_of?(Date)
var.kind_of?(Integer)

# good
var.is_a?(Date)
var.is_a?(Integer)

Example: EnforcedStyle: kind_of?

# bad
var.is_a?(Time)
var.is_a?(String)

# good
var.kind_of?(Time)
var.kind_of?(String)

Unused method argument - block. If it's necessary, use _ or _block as an argument name to indicate that it won't be used. You can also write as private_version(*) if you want the method to accept any arguments but don't care about them.
Open

      def private_version(&block)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end

Use == if you meant to do a comparison or wrap the expression in parentheses to indicate you meant to assign in a condition.
Open

        if public_version = latest_public_version
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for assignments in the conditions of if/while/until.

Example:

# bad

if some_var = true
  do_something
end

Example:

# good

if some_var == true
  do_something
end

Rename has_public_version? to public_version?.
Open

      def has_public_version?
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop makes sure that predicates are named properly.

Example:

# bad
def is_even?(value)
end

# good
def even?(value)
end

# bad
def has_value?
end

# good
def value?
end

Avoid the use of the case equality operator ===.
Open

      unless !force_privacy && file_private === false
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for uses of the case equality operator(===).

Example:

# bad
Array === something
(1..100) === 7
/something/ === some_string

# good
something.is_a?(Array)
(1..100).include?(7)
some_string =~ /something/

Method ItemPrivacy::ActsAsVersionedOverload::ClassMethods#store_correct_versions_after_save is defined at both lib/item_privacy.rb:265 and lib/item_privacy.rb:270.
Open

          alias_method :store_correct_versions_after_save, :orig_store_correct_versions_after_save
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for duplicated instance (or singleton) method definitions.

Example:

# bad

def duplicated
  1
end

def duplicated
  2
end

Example:

# bad

def duplicated
  1
end

alias duplicated other_duplicated

Example:

# good

def duplicated
  1
end

def other_duplicated
  2
end

Unused method argument - save_after_serialization. If it's necessary, use _ or _save_after_serialization as an argument name to indicate that it won't be used. You can also write as store_private!(*) if you want the method to accept any arguments but don't care about them.
Open

      def store_private!(save_after_serialization = false)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end

Useless assignment to variable - version.
Open

        version =
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for every useless assignment to local variable in every scope. The basic idea for this cop was from the warning of ruby -cw:

assigned but unused variable - foo

Currently this cop has advanced logic that detects unreferenced reassignments and properly handles varied cases such as branch, loop, rescue, ensure, etc.

Example:

# bad

def some_method
  some_var = 1
  do_something
end

Example:

# good

def some_method
  some_var = 1
  do_something(some_var)
end

Rename is_private? to private?.
Open

      def is_private?
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop makes sure that predicates are named properly.

Example:

# bad
def is_even?(value)
end

# good
def even?(value)
end

# bad
def has_value?
end

# good
def value?
end

Use !empty? instead of size > 0.
Open

        if tags_out_of_order.size > 0
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for numeric comparisons that can be replaced by a predicate method, such as receiver.length == 0, receiver.length > 0, receiver.length != 0, receiver.length < 1 and receiver.size == 0 that can be replaced by receiver.empty? and !receiver.empty.

Example:

# bad
[1, 2, 3].length == 0
0 == "foobar".length
array.length < 1
{a: 1, b: 2}.length != 0
string.length > 0
hash.size > 0

# good
[1, 2, 3].empty?
"foobar".empty?
array.empty?
!{a: 1, b: 2}.empty?
!string.empty?
!hash.empty?

Use tags_out_of_order.size.positive? instead of tags_out_of_order.size > 0.
Open

        if tags_out_of_order.size > 0
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for usage of comparison operators (==, >, <) to test numbers as zero, positive, or negative. These can be replaced by their respective predicate methods. The cop can also be configured to do the reverse.

The cop disregards #nonzero? as it its value is truthy or falsey, but not true and false, and thus not always interchangeable with != 0.

The cop ignores comparisons to global variables, since they are often populated with objects which can be compared with integers, but are not themselves Interger polymorphic.

Example: EnforcedStyle: predicate (default)

# bad

foo == 0
0 > foo
bar.baz > 0

# good

foo.zero?
foo.negative?
bar.baz.positive?

Example: EnforcedStyle: comparison

# bad

foo.zero?
foo.negative?
bar.baz.positive?

# good

foo == 0
0 > foo
bar.baz > 0

Prefer using YAML.safe_load over YAML.load.
Open

        private_attrs = YAML.load(private_version_serialized)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.

Example:

# bad
YAML.load("--- foo")

# good
YAML.safe_load("--- foo")
YAML.dump("foo")

Avoid rescuing without specifying an error class.
Open

      rescue
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for rescuing StandardError. There are two supported styles implicit and explicit. This cop will not register an offense if any error other than StandardError is specified.

Example: EnforcedStyle: implicit

# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.

# bad
begin
  foo
rescue StandardError
  bar
end

# good
begin
  foo
rescue
  bar
end

# good
begin
  foo
rescue OtherError
  bar
end

# good
begin
  foo
rescue StandardError, SecurityError
  bar
end

Example: EnforcedStyle: explicit (default)

# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.

# bad
begin
  foo
rescue
  bar
end

# good
begin
  foo
rescue StandardError
  bar
end

# good
begin
  foo
rescue OtherError
  bar
end

# good
begin
  foo
rescue StandardError, SecurityError
  bar
end

Use a guard clause instead of wrapping the code inside a conditional expression.
Open

      unless !force_privacy && file_private === false
Severity: Minor
Found in lib/item_privacy.rb by rubocop

Use a guard clause instead of wrapping the code inside a conditional expression

Example:

# bad
def test
  if something
    work
  end
end

# good
def test
  return unless something
  work
end

# also good
def test
  work if something
end

# bad
if something
  raise 'exception'
else
  ok
end

# good
raise 'exception' if something
ok

Unused method argument - block. If it's necessary, use _ or _block as an argument name to indicate that it won't be used. You can also write as without_saving_private(*) if you want the method to accept any arguments but don't care about them.
Open

      def without_saving_private(&block)
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for unused method arguments.

Example:

# bad

def some_method(used, unused, _unused_but_allowed)
  puts used
end

Example:

# good

def some_method(used, _unused, _unused_but_allowed)
  puts used
end

Avoid rescuing without specifying an error class.
Open

      rescue
Severity: Minor
Found in lib/item_privacy.rb by rubocop

This cop checks for rescuing StandardError. There are two supported styles implicit and explicit. This cop will not register an offense if any error other than StandardError is specified.

Example: EnforcedStyle: implicit

# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.

# bad
begin
  foo
rescue StandardError
  bar
end

# good
begin
  foo
rescue
  bar
end

# good
begin
  foo
rescue OtherError
  bar
end

# good
begin
  foo
rescue StandardError, SecurityError
  bar
end

Example: EnforcedStyle: explicit (default)

# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.

# bad
begin
  foo
rescue
  bar
end

# good
begin
  foo
rescue StandardError
  bar
end

# good
begin
  foo
rescue OtherError
  bar
end

# good
begin
  foo
rescue StandardError, SecurityError
  bar
end

There are no issues that match your filters.

Category
Status