Sign upLogin

khalilgharbaoui/check-taskmanager-back-end-api

View on GitHub
Star

Showing 95 of 95 total issues

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

File Content Disclosure in Action View
Open

    actionview (4.2.5.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Possible information leak / session hijack vulnerability
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16782

Criticality: Medium

URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Solution: upgrade to ~> 1.6.12, >= 2.0.8

Possible XSS vulnerability in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

Possible XSS Vulnerability in Action View
Open

    actionview (4.2.5.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-6316

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk

Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

rack-cors Gem Missing Anchor permits unauthorized CORS requests
Open

    rack-cors (0.4.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-11173

Criticality: High

URL: https://github.com/cyu/rack-cors/issues/86

Solution: upgrade to >= 0.4.1

Rails 4.2.5.1 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1
Open

    rails (4.2.5.1)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ

Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://github.com/flavorjones/loofah/issues/144

rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Insufficient validation for 'start_date' using /\d{4}-\d{2}-\d{2}/. Use \A and \z as anchors
Open

  validates :start_date, format: { with: /\d{4}-\d{2}-\d{2}/,
Severity: Critical
Found in app/models/project.rb by brakeman

Calls to validates_format_of ..., :with => // which do not use \A and \z as anchors will cause this warning. Using ^ and $ is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.

See the Ruby Security Guide for details.

Rails 4.2.5.1 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1
Open

    rails (4.2.5.1)
Severity: Critical
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/ruby-security-ann/WccgKSKiPZA/9DrsDVSoCgAJ

Insufficient validation for 'duedate' using /\d{4}-\d{2}-\d{2}/. Use \A and \z as anchors
Open

  validates_format_of :duedate, with: /\d{4}-\d{2}-\d{2}/, :message => "must be in the following format: yyyy-mm-dd"
Severity: Critical
Found in app/models/task.rb by brakeman

Calls to validates_format_of ..., :with => // which do not use \A and \z as anchors will cause this warning. Using ^ and $ is not sufficient, as they will only match up to a new line. This allows an attacker to put whatever malicious input they would like before or after a new line character.

See the Ruby Security Guide for details.

end at 11, 3 is not aligned with def at 4, 2.
Open

   end
Severity: Minor
Found in app/controllers/tasks_controller.rb by rubocop

This cop checks whether the end keywords of method definitions are aligned properly.

Two modes are supported through the EnforcedStyleAlignWith configuration parameter. If it's set to start_of_line (which is the default), the end shall be aligned with the start of the line where the def keyword is. If it's set to def, the end shall be aligned with the def keyword.

Example: EnforcedStyleAlignWith: startofline (default)

# bad

private def foo
            end

# good

private def foo
end

Example: EnforcedStyleAlignWith: def

# bad

private def foo
            end

# good

private def foo
        end

Do not suppress exceptions.
Open

rescue LoadError
Severity: Minor
Found in config.ru by rubocop

This cop checks for rescue blocks with no body.

Example:

# bad

def some_method
  do_something
rescue
  # do nothing
end

Example:

# bad

begin
  do_something
rescue
  # do nothing
end

Example:

# good

def some_method
  do_something
rescue
  handle_exception
end

Example:

# good

begin
  do_something
rescue
  handle_exception
end

Possible remote code execution vulnerability in Action Pack
Open

    actionpack (4.2.5.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-2098

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q

Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

Severity
Category
Status
Source
Language