Sign upLogin

lgromanowski/acme-plugin

View on GitHub
Star

Showing 70 of 70 total issues

File Content Disclosure in Action View
Open

    actionview (5.1.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Path Traversal in Sprockets
Open

    sprockets (3.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3760

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k

Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

Regular Expression Denial of Service in websocket-extensions (RubyGem)
Open

    websocket-extensions (0.1.3)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7663

Criticality: High

URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2

Solution: upgrade to >= 0.1.5

Method private_key has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
Open

    def private_key
      store ||= PrivateKeyStore.new(private_key_from_db) if @options.fetch(:private_key_in_db, false)

      pk_id = @options.fetch(:private_key, nil)
Severity: Minor
Found in lib/acme_plugin.rb - About 45 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://github.com/flavorjones/loofah/issues/144

Method AcmePlugin::CertGenerator#client is defined at both lib/acme_plugin.rb:21 and lib/acme_plugin.rb:51.
Open

    def client
Severity: Minor
Found in lib/acme_plugin.rb by rubocop

This cop checks for duplicated instance (or singleton) method definitions.

Example:

# bad

def duplicated
  1
end

def duplicated
  2
end

Example:

# bad

def duplicated
  1
end

alias duplicated other_duplicated

Example:

# good

def duplicated
  1
end

def other_duplicated
  2
end

Avoid rescuing without specifying an error class.
Open

    rescue => e
Severity: Minor
Found in lib/acme_plugin.rb by rubocop

This cop checks for rescuing StandardError. There are two supported styles implicit and explicit. This cop will not register an offense if any error other than StandardError is specified.

Example: EnforcedStyle: implicit

# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.

# bad
begin
  foo
rescue StandardError
  bar
end

# good
begin
  foo
rescue
  bar
end

# good
begin
  foo
rescue OtherError
  bar
end

# good
begin
  foo
rescue StandardError, SecurityError
  bar
end

Example: EnforcedStyle: explicit (default)

# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.

# bad
begin
  foo
rescue
  bar
end

# good
begin
  foo
rescue StandardError
  bar
end

# good
begin
  foo
rescue OtherError
  bar
end

# good
begin
  foo
rescue StandardError, SecurityError
  bar
end

Dependencies should be sorted in an alphabetical order within their section of the gemspec. Dependency nokogiri should appear before rails.
Open

  s.add_dependency 'nokogiri', '~>1.8.1'
Severity: Minor
Found in acme_plugin.gemspec by rubocop

Dependencies in the gemspec should be alphabetically sorted.

Example:

# bad
spec.add_dependency 'rubocop'
spec.add_dependency 'rspec'

# good
spec.add_dependency 'rspec'
spec.add_dependency 'rubocop'

# good
spec.add_dependency 'rubocop'

spec.add_dependency 'rspec'

# bad
spec.add_development_dependency 'rubocop'
spec.add_development_dependency 'rspec'

# good
spec.add_development_dependency 'rspec'
spec.add_development_dependency 'rubocop'

# good
spec.add_development_dependency 'rubocop'

spec.add_development_dependency 'rspec'

# bad
spec.add_runtime_dependency 'rubocop'
spec.add_runtime_dependency 'rspec'

# good
spec.add_runtime_dependency 'rspec'
spec.add_runtime_dependency 'rubocop'

# good
spec.add_runtime_dependency 'rubocop'

spec.add_runtime_dependency 'rspec'

# good only if TreatCommentsAsGroupSeparators is true
# For code quality
spec.add_dependency 'rubocop'
# For tests
spec.add_dependency 'rspec'

Prefer using YAML.safe_load over YAML.load.
Open

      YAML.load(evaluate_file(filename))
Severity: Minor
Found in lib/acme_plugin/configuration.rb by rubocop

This cop checks for the use of YAML class methods which have potential security issues leading to remote code execution when loading from an untrusted source.

Example:

# bad
YAML.load("--- foo")

# good
YAML.safe_load("--- foo")
YAML.dump("foo")
Severity
Category
Status
Source
Language