Sign upLogin

null-open-security-community/swachalit

View on GitHub
Star

Showing 78 of 78 total issues

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

    rails-html-sanitizer (1.3.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23517

Criticality: High

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

Solution: upgrade to >= 1.4.4

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.10.9)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.10.9)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.3.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

Improper neutralization of data URIs may allow XSS in Loofah
Open

    loofah (2.6.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23515

Criticality: Medium

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

Solution: upgrade to >= 2.19.1

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.10.9)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

Uncontrolled Recursion in Loofah
Open

    loofah (2.6.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23516

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm

Solution: upgrade to >= 2.19.1

Class Event has 27 methods (exceeds 20 allowed). Consider refactoring.
Open

class Event < ActiveRecord::Base
  audited
  @queue = :event_jobs

  attr_accessible :name, :description, :event_type_id, :chapter_id, :venue_id
Severity: Minor
Found in app/models/event.rb - About 3 hrs to fix

    Class User has 23 methods (exceeds 20 allowed). Consider refactoring.
    Open

    class User < ActiveRecord::Base
  audited

  # Include default devise modules. Others available are:
  # :token_authenticatable, :confirmable,
    Severity: Minor
    Found in app/models/user.rb - About 2 hrs to fix

      Similar blocks of code found in 2 locations. Consider refactoring.
      Open

      module API
  class EventRegistration < Grape::API
    include ::API::Helper

    version 'v1', using: :header, vendor: 'swachalit'
      Severity: Major
      Found in lib/api/event_registrations.rb and 1 other location - About 1 hr to fix
      lib/api/event_sessions.rb on lines 4..25

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 75.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Similar blocks of code found in 2 locations. Consider refactoring.
      Open

      module API
  class EventSession < Grape::API
    include ::API::Helper

    version 'v1', using: :header, vendor: 'swachalit'
      Severity: Major
      Found in lib/api/event_sessions.rb and 1 other location - About 1 hr to fix
      lib/api/event_registrations.rb on lines 4..25

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 75.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Method setup_scheduled_tasks has a Cognitive Complexity of 10 (exceeds 5 allowed). Consider refactoring.
      Open

        def setup_scheduled_tasks
    return if disable_background_tasks?

    remove_scheduled_tasks()
      Severity: Minor
      Found in app/models/event.rb - About 1 hr to fix

      Cognitive Complexity

      Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

      A method's cognitive complexity is based on a few simple rules:

      • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
      • Code is considered more complex for each "break in the linear flow of the code"
      • Code is considered more complex when "flow breaking structures are nested"

      Further reading

      Prototype pollution attack through jQuery $.extend
      Open

          jquery-rails (4.3.3)
      Severity: Minor
      Found in Gemfile.lock by bundler-audit

      Advisory: CVE-2019-11358

      Criticality: Medium

      URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

      Solution: upgrade to >= 4.3.4

      Identical blocks of code found in 2 locations. Consider refactoring.
      Open

        def twitter_handle_name
    h = nil
    if self.twitter_handle.to_s.strip =~ /https?:\/\/(www\.)?twitter\.com\/(.*)/
      h = $2.to_s
    elsif self.twitter_handle.to_s.strip =~ /twitter\.com\/([a-zA-Z0-9_]+)/
      Severity: Minor
      Found in app/models/user.rb and 1 other location - About 45 mins to fix
      app/models/chapter.rb on lines 23..34

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 41.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Identical blocks of code found in 2 locations. Consider refactoring.
      Open

        def twitter_handle_name
    h = nil
    if self.twitter_handle.to_s.strip =~ /https?:\/\/(www\.)?twitter\.com\/(.*)/
      h = $2.to_s
    elsif self.twitter_handle.to_s.strip =~ /twitter\.com\/([a-zA-Z0-9_]+)/
      Severity: Minor
      Found in app/models/chapter.rb and 1 other location - About 45 mins to fix
      app/models/user.rb on lines 53..64

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 41.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Method mass_update has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
      Open

        def mass_update
    @event_registrations = @event.event_registrations

    errors = []
    if verified_request?
      Severity: Minor
      Found in app/controllers/leads/event_registrations_controller.rb - About 45 mins to fix

      Cognitive Complexity

      Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

      A method's cognitive complexity is based on a few simple rules:

      • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
      • Code is considered more complex for each "break in the linear flow of the code"
      • Code is considered more complex when "flow breaking structures are nested"

      Further reading

      Method date_time_validator has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring.
      Open

        def date_time_validator
    if self.start_time and self.end_time
      errors.add(:start_time, 'cannot be before event start') if self.event.start_time > self.start_time
      errors.add(:end_time, 'cannot be after event end') if self.event.end_time < self.end_time
      errors.add(:end_time, 'cannot modify beyond 30 days after Event End Time') \
      Severity: Minor
      Found in app/models/event_session.rb - About 45 mins to fix

      Cognitive Complexity

      Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

      A method's cognitive complexity is based on a few simple rules:

      • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
      • Code is considered more complex for each "break in the linear flow of the code"
      • Code is considered more complex when "flow breaking structures are nested"

      Further reading

      Method rsvp_user_reminder has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
      Open

        def rsvp_user_reminder()
    self.event.event_registrations.each do |registration|
      next unless registration.confirmed?
      EventMailer.rsvp_user_reminder_mail(registration.user, event).deliver_now() unless registration.user.nil?
    end
      Severity: Minor
      Found in app/models/event_automatic_notification_task.rb - About 35 mins to fix

      Cognitive Complexity

      Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

      A method's cognitive complexity is based on a few simple rules:

      • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
      • Code is considered more complex for each "break in the linear flow of the code"
      • Code is considered more complex when "flow breaking structures are nested"

      Further reading

      Method speaker_remind_presentation_update has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
      Open

        def speaker_remind_presentation_update
    self.event.event_sessions.each do |ev_session|
      next if ev_session.placeholder?
      next unless ev_session.presentation_url.to_s.empty?
      EventMailer.session_speaker_presentation_update_mail(ev_session).deliver_now()
      Severity: Minor
      Found in app/models/event_automatic_notification_task.rb - About 35 mins to fix

      Cognitive Complexity

      Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

      A method's cognitive complexity is based on a few simple rules:

      • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
      • Code is considered more complex for each "break in the linear flow of the code"
      • Code is considered more complex when "flow breaking structures are nested"

      Further reading

      Similar blocks of code found in 2 locations. Consider refactoring.
      Open

        def like
    @event_session = EventSession.find_for_voting(params[:id])

    if current_user.voted_up_on? @event_session
      @event_session.unliked_by current_user
      Severity: Minor
      Found in app/controllers/event_sessions_controller.rb and 1 other location - About 30 mins to fix
      app/controllers/event_sessions_controller.rb on lines 96..107

      Duplicated Code

      Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

      Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

      When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

      Tuning

      This issue has a mass of 33.

      We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

      The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

      If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

      See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

      Refactorings

      Further Reading

      Severity
      Category
      Status
      Source
      Language