Showing 95 of 95 total issues
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
File Content Disclosure in Action View Open
actionview (4.2.5.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3
Possible information leak / session hijack vulnerability Open
rack (1.6.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Possible XSS vulnerability in Rack Open
rack (1.6.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Possible XSS Vulnerability in Action View Open
actionview (4.2.5.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-6316
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1
rack-cors Gem Missing Anchor permits unauthorized CORS requests Open
rack-cors (0.4.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-11173
Criticality: High
URL: https://github.com/cyu/rack-cors/issues/86
Solution: upgrade to >= 0.4.1
Rails 4.2.5.1 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1 Open
rails (4.2.5.1)
- Read upRead up
- Exclude checks
Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2 Open
loofah (2.0.3)
- Read upRead up
- Exclude checks
rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4 Open
rails-html-sanitizer (1.0.3)
- Read upRead up
- Exclude checks
Insufficient validation for 'start_date' using /\d{4}-\d{2}-\d{2}/. Use \A and \z as anchors Open
validates :start_date, format: { with: /\d{4}-\d{2}-\d{2}/,
- Read upRead up
- Exclude checks
Calls to validates_format_of ..., :with => //
which do not use \A
and \z
as anchors will cause this warning. Using ^
and $
is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See the Ruby Security Guide for details.
Rails 4.2.5.1 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1 Open
rails (4.2.5.1)
- Read upRead up
- Exclude checks
Insufficient validation for 'duedate' using /\d{4}-\d{2}-\d{2}/. Use \A and \z as anchors Open
validates_format_of :duedate, with: /\d{4}-\d{2}-\d{2}/, :message => "must be in the following format: yyyy-mm-dd"
- Read upRead up
- Exclude checks
Calls to validates_format_of ..., :with => //
which do not use \A
and \z
as anchors will cause this warning. Using ^
and $
is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.
See the Ruby Security Guide for details.
end
at 11, 3 is not aligned with def
at 4, 2. Open
end
- Read upRead up
- Exclude checks
This cop checks whether the end keywords of method definitions are aligned properly.
Two modes are supported through the EnforcedStyleAlignWith configuration
parameter. If it's set to start_of_line
(which is the default), the
end
shall be aligned with the start of the line where the def
keyword is. If it's set to def
, the end
shall be aligned with the
def
keyword.
Example: EnforcedStyleAlignWith: startofline (default)
# bad
private def foo
end
# good
private def foo
end
Example: EnforcedStyleAlignWith: def
# bad
private def foo
end
# good
private def foo
end
Do not suppress exceptions. Open
rescue LoadError
- Read upRead up
- Exclude checks
This cop checks for rescue blocks with no body.
Example:
# bad
def some_method
do_something
rescue
# do nothing
end
Example:
# bad
begin
do_something
rescue
# do nothing
end
Example:
# good
def some_method
do_something
rescue
handle_exception
end
Example:
# good
begin
do_something
rescue
handle_exception
end
Possible remote code execution vulnerability in Action Pack Open
actionpack (4.2.5.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2098
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14