Sign upLogin

rike422/loose-leaf

View on GitHub
Star

Showing 119 of 119 total issues

Possible RCE escalation bug with Serialized Columns in Active Record
Open

    activerecord (5.0.0.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

    nokogiri (1.6.8.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (5.0.0.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2023-22792

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.6.8.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.6.8.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.6.8.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Similar blocks of code found in 2 locations. Consider refactoring.
Open

  receiveAttribute (data) {
    if (data.document_id !== this.documentId) {
      return
    }
Severity: Major
Found in client/src/loose-leaf/cable.js and 1 other location - About 2 hrs to fix
client/src/loose-leaf/cable.js on lines 93..109

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 93.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

  receiveOperation (data) {
    if (data.document_id !== this.documentId) {
      return
    }
Severity: Major
Found in client/src/loose-leaf/cable.js and 1 other location - About 2 hrs to fix
client/src/loose-leaf/cable.js on lines 75..91

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 93.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

  module: {
    preLoaders: [
      {
        test: /\.(js|jsx|js\.flow)$/,
        loader: 'standard',
Severity: Major
Found in client/webpack.config.dev.js and 1 other location - About 2 hrs to fix
client/webpack.config.prod.js on lines 35..56

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 78.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Similar blocks of code found in 2 locations. Consider refactoring.
Open

  module: {
    preLoaders: [
      {
        test: /\.(js|jsx|js\.flow)$/,
        loader: 'standard',
Severity: Major
Found in client/webpack.config.prod.js and 1 other location - About 2 hrs to fix
client/webpack.config.dev.js on lines 29..50

Duplicated Code

Duplicated code can lead to software that is hard to understand and difficult to change. The Don't Repeat Yourself (DRY) principle states:

Every piece of knowledge must have a single, unambiguous, authoritative representation within a system.

When you violate DRY, bugs and maintenance problems are sure to follow. Duplicated code has a tendency to both continue to replicate and also to diverge (leaving bugs as two similar implementations differ in subtle ways).

Tuning

This issue has a mass of 78.

We set useful threshold defaults for the languages we support but you may want to adjust these settings based on your project guidelines.

The threshold configuration represents the minimum mass a code block must have to be analyzed for duplication. The lower the threshold, the more fine-grained the comparison.

If the engine is too easily reporting duplication, try raising the threshold. If you suspect that the engine isn't catching enough duplication, try lowering the threshold. The best setting tends to differ from language to language.

See codeclimate-duplication's documentation for more information about tuning the mass threshold in your .codeclimate.yml.

Refactorings

Further Reading

Function operationFromTextChange has 27 lines of code (exceeds 25 allowed). Consider refactoring.
Open

  operationFromTextChange (oldContent, newContent) {
    const op = new ot.TextOperation()

    if (oldContent === newContent) {
      return op
Severity: Minor
Found in client/src/loose-leaf/adapters/textarea-adapter.js - About 1 hr to fix

    Function operationFromTextChange has a Cognitive Complexity of 9 (exceeds 5 allowed). Consider refactoring.
    Open

      operationFromTextChange (oldContent, newContent) {
    const op = new ot.TextOperation()

    if (oldContent === newContent) {
      return op
    Severity: Minor
    Found in client/src/loose-leaf/adapters/textarea-adapter.js - About 55 mins to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    Denial of service via multipart parsing in Rack
    Open

        rack (2.0.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-44572

    URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

    Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

    Possible information leak / session hijack vulnerability
    Open

        rack (2.0.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-16782

    Criticality: Medium

    URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

    Solution: upgrade to ~> 1.6.12, >= 2.0.8

    Possible arbitrary path traversal and file access via yard server
    Open

        yard (0.9.5)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory:

    URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr

    Solution: upgrade to >= 0.9.20

    Broken Access Control vulnerability in Active Job
    Open

        activejob (5.0.0.1)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-16476

    Criticality: High

    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

    Possible XSS vulnerability in Rack
    Open

        rack (2.0.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-16471

    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    TZInfo relative path traversal vulnerability allows loading of arbitrary files
    Open

        tzinfo (1.2.2)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-31163

    Criticality: High

    URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

    Solution: upgrade to ~> 0.3.61, >= 1.2.10

    Denial of Service Vulnerability in Rack Content-Disposition parsing
    Open

        rack (2.0.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-44571

    URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

    Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

    Potential arbitrary file read vulnerability in yard server
    Open

        yard (0.9.5)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2017-17042

    Criticality: High

    URL: https://nvd.nist.gov/vuln/detail/CVE-2017-17042

    Solution: upgrade to >= 0.9.11

    Severity
    Category
    Status
    Source
    Language