Sign upLogin

nicb/hijack

View on GitHub
Star

Showing 62 of 62 total issues

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

Solution: upgrade to >= 1.13.5

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

    nokogiri (1.6.8)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-16932

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.1

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
Open

    i18n (0.7.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2014-10077

URL: https://github.com/svenfuchs/i18n/pull/289

Solution: upgrade to >= 0.8.0

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

    nokogiri (1.6.8)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.6.8)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.6.8)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Open

    nokogiri (1.6.8)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-4658

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1615

Solution: upgrade to >= 1.7.1

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.6.8)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Class AssetType has 32 methods (exceeds 20 allowed). Consider refactoring.
Open

      class AssetType
        
        # The Asset Type encapsulates a type of attachment.
        # Conventionally this would a sensible category like 'image' or 'video'
        # that should be processed and presented in a particular way.
Severity: Minor
Found in lib/hijack/output_drivers/radiant/asset_type.rb - About 4 hrs to fix

    Class Asset has 29 methods (exceeds 20 allowed). Consider refactoring.
    Open

           class Asset < Base

         include Paperclip::Glue

         has_many :page_attachments, :dependent => :destroy, :class_name => 'Hijack::OutputDrivers::Radiant::PageAttachment'
    Severity: Minor
    Found in lib/hijack/output_drivers/radiant/asset.rb - About 3 hrs to fix

      Method inner_suck has a Cognitive Complexity of 15 (exceeds 5 allowed). Consider refactoring.
      Open

          def inner_suck(p, limit)
      return if enough?(limit)
      p.links.each do
        |l|
        begin
      Severity: Minor
      Found in lib/hijack/page_loader.rb - About 1 hr to fix

      Cognitive Complexity

      Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

      A method's cognitive complexity is based on a few simple rules:

      • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
      • Code is considered more complex for each "break in the linear flow of the code"
      • Code is considered more complex when "flow breaking structures are nested"

      Further reading

      Cyclomatic complexity for initialize is too high. [8/6]
      Open

              def initialize(name, options = {})
          options = options.symbolize_keys
          @name = name
          @icon_name = options[:icon] || name
          @processors = options[:processors] || []
      Severity: Minor
      Found in lib/hijack/output_drivers/radiant/asset_type.rb by rubocop

      This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.

      An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one.

      TZInfo relative path traversal vulnerability allows loading of arbitrary files
      Open

          tzinfo (1.2.2)
      Severity: Critical
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2022-31163

      Criticality: High

      URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

      Solution: upgrade to ~> 0.3.61, >= 1.2.10

      Unsafe Query Generation Risk in Active Record
      Open

          activerecord (4.2.6)
      Severity: Critical
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2016-6317

      Criticality: High

      URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s

      Solution: upgrade to >= 4.2.7.1

      Severity
      Category
      Status
      Source
      Language