Sign upLogin

nerdhub/hcking

View on GitHub
Star

Showing 144 of 144 total issues

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23517

Criticality: High

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

Solution: upgrade to >= 1.4.4

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.8.2)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.8.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.11.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11077

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Solution: upgrade to ~> 3.12.6, >= 4.3.5

HTTP Response Splitting vulnerability in puma
Open

    puma (3.11.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-5247

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v

Solution: upgrade to ~> 3.12.4, >= 4.3.3

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (2.1.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

HTTP Response Splitting (Early Hints) in Puma
Open

    puma (3.11.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-5249

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

Solution: upgrade to ~> 3.12.4, >= 4.3.3

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.8.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

uglifier incorrectly handles non-boolean comparisons during minification
Open

    uglifier (2.5.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: OSVDB-126747

URL: https://github.com/mishoo/UglifyJS2/issues/751

Solution: upgrade to >= 2.7.2

Complex method ActiveAdminAbility#initialize (77.9)
Open

  def initialize(user)
    if user.present? && user.admin?
      can :manage, :all
    elsif user.present?
      # Achtung! Keine Blocks benutzen, sondern immer die
Severity: Minor
Found in app/models/active_admin_ability.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method CallbacksController#all (55.4)
Open

  def all

    # If there is no token, but we are currently logged in
    if current_user
      @auth = Authorization.create_authorization(request.env["omniauth.auth"], current_user)
Severity: Minor
Found in app/controllers/callbacks_controller.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method SingleEvent#<=> (51.7)
Open

  def <=>(other)
    if (self.occurrence.year != other.occurrence.year) || (self.occurrence.month != other.occurrence.month) || (self.occurrence.day != other.occurrence.day)
      # not on same day
      return self.occurrence <=> other.occurrence
    elsif self.full_day
Severity: Minor
Found in app/models/single_event.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Complex method main#create (49.4)
Open

    def create
      create! do |success, failure|
        success.html do
          redirect_to admin_event_path(params[:event_id])
Severity: Minor
Found in app/admin/radar_settings.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Method reset_pk_sequence! has a Cognitive Complexity of 20 (exceeds 5 allowed). Consider refactoring.
Open

                def reset_pk_sequence!(table, pk = nil, sequence = nil) #:nodoc:
                    unless pk and sequence
                        default_pk, default_sequence = pk_and_sequence_for(table)

                        pk ||= default_pk
Severity: Minor
Found in config/initializers/backport_pg_10_support_to_rails_4.rb - About 2 hrs to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

Complex method main#reconstruct_start_time (44.0)
Open

    def reconstruct_start_time
      params[:event]["start_time"] = Time.zone.local(
        params[:event].delete("start_time(1i)").to_i,
        params[:event].delete("start_time(2i)").to_i,
        params[:event].delete("start_time(3i)").to_i,
Severity: Minor
Found in app/admin/events.rb by flog

Flog calculates the ABC score for methods. The ABC score is based on assignments, branches (method calls), and conditions.

You can read more about ABC metrics or the flog tool

Severity
Category
Status
Source
Language