Showing 119 of 119 total issues
Possible shell escape sequence injection vulnerability in Rack Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Path Traversal in Sprockets Open
sprockets (3.7.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Possible information leak / session hijack vulnerability Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
XSS vulnerability in rails-html-sanitizer Open
rails-html-sanitizer (1.0.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3741
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Solution: upgrade to >= 1.0.4
Possible arbitrary path traversal and file access via yard server
Open
yard (0.9.5)
- Read upRead up
- Exclude checks
Advisory:
URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
Solution: upgrade to >= 0.9.20
Potential arbitrary file read vulnerability in yard server Open
yard (0.9.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-17042
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2017-17042
Solution: upgrade to >= 0.9.11
Denial of Service Vulnerability in Action View Open
actionview (5.0.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
ruby-ffi DDL loading issue on Windows OS Open
ffi (1.9.14)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
Denial of service via multipart parsing in Rack Open
rack (2.0.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44572
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Arbitrary path traversal and file access via yard server
Open
yard (0.9.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-1020001
Criticality: High
URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
Solution: upgrade to >= 0.9.20
Method symbolize_keys
has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring. Open
def symbolize_keys(hash)
hash.each_with_object({}) do |(key, value), new_hash|
new_key = key.is_a?(String) ? key.to_sym : key
new_value = value.is_a?(Hash) ? symbolize_keys(value) : value
new_hash[new_key] = new_value
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4 Open
rails-html-sanitizer (1.0.3)
- Read upRead up
- Exclude checks
Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2 Open
loofah (2.0.3)
- Read upRead up
- Exclude checks
'protect_from_forgery' should be called in LooseLeaf::ApplicationController Open
class ApplicationController < ActionController::Base
- Read upRead up
- Exclude checks
Cross-site request forgery is #5 on the OWASP Top Ten. CSRF allows an attacker to perform actions on a website as if they are an authenticated user.
This warning is raised when no call to protect_from_forgery
is found in ApplicationController
. This method prevents CSRF.
For Rails 4 applications, it is recommended that you use protect_from_forgery :with => :exception
. This code is inserted into newly generated applications. The default is to nil
out the session object, which has been a source of many CSRF bypasses due to session memoization.
See the Ruby Security Guide for details.
It's not necessary to initialize 'config' to undefined. Open
let config = undefined
- Read upRead up
- Exclude checks
Disallow Initializing to undefined (no-undef-init)
In JavaScript, a variable that is declared and not initialized to any value automatically gets the value of undefined
. For example:
var foo;
console.log(foo === undefined); // true
It's therefore unnecessary to initialize a variable to undefined
, such as:
var foo = undefined;
It's considered a best practice to avoid initializing variables to undefined
.
Rule Details
This rule aims to eliminate variable declarations that initialize to undefined
.
Examples of incorrect code for this rule:
/*eslint no-undef-init: "error"*/
/*eslint-env es6*/
var foo = undefined;
let bar = undefined;
Examples of correct code for this rule:
/*eslint no-undef-init: "error"*/
/*eslint-env es6*/
var foo;
let bar;
const baz = undefined;
When Not To Use It
There is one situation where initializing to undefined
behaves differently than omitting the initialization, and that's when a var
declaration occurs inside of a loop. For example:
Example of incorrect code for this rule:
for (i = 0; i < 10; i++) {
var x = undefined;
console.log(x);
x = i;
}
In this case, the var x
is hoisted out of the loop, effectively creating:
var x;
for (i = 0; i < 10; i++) {
x = undefined;
console.log(x);
x = i;
}
If you were to remove the initialization, then the behavior of the loop changes:
for (i = 0; i < 10; i++) {
var x;
console.log(x);
x = i;
}
This code is equivalent to:
var x;
for (i = 0; i < 10; i++) {
console.log(x);
x = i;
}
This produces a different outcome than defining var x = undefined
in the loop, as x
is no longer reset to undefined
each time through the loop.
If you're using such an initialization inside of a loop, then you should disable this rule.
Example of correct code for this rule, because it is disabled on a specific line:
/*eslint no-undef-init: "error"*/
for (i = 0; i < 10; i++) {
var x = undefined; // eslint-disable-line no-undef-init
console.log(x);
x = i;
}
Related Rules
- [no-undefined](no-undefined.md)
- [no-void](no-void.md) Source: http://eslint.org/docs/rules/
It's not necessary to initialize 'config' to undefined. Open
let config = undefined
- Read upRead up
- Exclude checks
Disallow Initializing to undefined (no-undef-init)
In JavaScript, a variable that is declared and not initialized to any value automatically gets the value of undefined
. For example:
var foo;
console.log(foo === undefined); // true
It's therefore unnecessary to initialize a variable to undefined
, such as:
var foo = undefined;
It's considered a best practice to avoid initializing variables to undefined
.
Rule Details
This rule aims to eliminate variable declarations that initialize to undefined
.
Examples of incorrect code for this rule:
/*eslint no-undef-init: "error"*/
/*eslint-env es6*/
var foo = undefined;
let bar = undefined;
Examples of correct code for this rule:
/*eslint no-undef-init: "error"*/
/*eslint-env es6*/
var foo;
let bar;
const baz = undefined;
When Not To Use It
There is one situation where initializing to undefined
behaves differently than omitting the initialization, and that's when a var
declaration occurs inside of a loop. For example:
Example of incorrect code for this rule:
for (i = 0; i < 10; i++) {
var x = undefined;
console.log(x);
x = i;
}
In this case, the var x
is hoisted out of the loop, effectively creating:
var x;
for (i = 0; i < 10; i++) {
x = undefined;
console.log(x);
x = i;
}
If you were to remove the initialization, then the behavior of the loop changes:
for (i = 0; i < 10; i++) {
var x;
console.log(x);
x = i;
}
This code is equivalent to:
var x;
for (i = 0; i < 10; i++) {
console.log(x);
x = i;
}
This produces a different outcome than defining var x = undefined
in the loop, as x
is no longer reset to undefined
each time through the loop.
If you're using such an initialization inside of a loop, then you should disable this rule.
Example of correct code for this rule, because it is disabled on a specific line:
/*eslint no-undef-init: "error"*/
for (i = 0; i < 10; i++) {
var x = undefined; // eslint-disable-line no-undef-init
console.log(x);
x = i;
}
Related Rules
- [no-undefined](no-undefined.md)
- [no-void](no-void.md) Source: http://eslint.org/docs/rules/
Avoid when
branches without a body. Open
when 'patch'
- Read upRead up
- Exclude checks
This cop checks for the presence of when
branches without a body.
Example:
# bad
case foo
when bar then 1
when baz then # nothing
end
Example:
# good
case foo
when bar then 1
when baz then 2
end
Expected an assignment or function call and instead saw an expression. Open
true
- Read upRead up
- Exclude checks
Disallow Unused Expressions (no-unused-expressions)
An unused expression which has no effect on the state of the program indicates a logic error.
For example, n + 1;
is not a syntax error, but it might be a typing mistake where a programmer meant an assignment statement n += 1;
instead.
Rule Details
This rule aims to eliminate unused expressions which have no effect on the state of the program.
This rule does not apply to function calls or constructor calls with the new
operator, because they could have side effects on the state of the program.
var i = 0;
function increment() { i += 1; }
increment(); // return value is unused, but i changed as a side effect
var nThings = 0;
function Thing() { nThings += 1; }
new Thing(); // constructed object is unused, but nThings changed as a side effect
This rule does not apply to directives (which are in the form of literal string expressions such as "use strict";
at the beginning of a script, module, or function).
Sequence expressions (those using a comma, such as a = 1, b = 2
) are always considered unused unless their return value is assigned or used in a condition evaluation, or a function call is made with the sequence expression value.
Options
This rule, in its default state, does not require any arguments. If you would like to enable one or more of the following you may pass an object with the options set as follows:
-
allowShortCircuit
set totrue
will allow you to use short circuit evaluations in your expressions (Default:false
). -
allowTernary
set totrue
will enable you to use ternary operators in your expressions similarly to short circuit evaluations (Default:false
). -
allowTaggedTemplates
set totrue
will enable you to use tagged template literals in your expressions (Default:false
).
These options allow unused expressions only if all of the code paths either directly change the state (for example, assignment statement) or could have side effects (for example, function call).
Examples of incorrect code for the default { "allowShortCircuit": false, "allowTernary": false }
options:
/*eslint no-unused-expressions: "error"*/
0
if(0) 0
{0}
f(0), {}
a && b()
a, b()
c = a, b;
a() && function namedFunctionInExpressionContext () {f();}
(function anIncompleteIIFE () {});
injectGlobal`body{ color: red; }`
Note that one or more string expression statements (with or without semi-colons) will only be considered as unused if they are not in the beginning of a script, module, or function (alone and uninterrupted by other statements). Otherwise, they will be treated as part of a "directive prologue", a section potentially usable by JavaScript engines. This includes "strict mode" directives.
"use strict";
"use asm"
"use stricter";
"use babel"
"any other strings like this in the prologue";
Examples of correct code for the default { "allowShortCircuit": false, "allowTernary": false }
options:
/*eslint no-unused-expressions: "error"*/
{} // In this context, this is a block statement, not an object literal
{myLabel: someVar} // In this context, this is a block statement with a label and expression, not an object literal
function namedFunctionDeclaration () {}
(function aGenuineIIFE () {}());
f()
a = 0
new C
delete a.b
void a
allowShortCircuit
Examples of incorrect code for the { "allowShortCircuit": true }
option:
/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true }]*/
a || b
Examples of correct code for the { "allowShortCircuit": true }
option:
/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true }]*/
a && b()
a() || (b = c)
allowTernary
Examples of incorrect code for the { "allowTernary": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTernary": true }]*/
a ? b : 0
a ? b : c()
Examples of correct code for the { "allowTernary": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTernary": true }]*/
a ? b() : c()
a ? (b = c) : d()
allowShortCircuit and allowTernary
Examples of correct code for the { "allowShortCircuit": true, "allowTernary": true }
options:
/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true, "allowTernary": true }]*/
a ? b() || (c = d) : e()
allowTaggedTemplates
Examples of incorrect code for the { "allowTaggedTemplates": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTaggedTemplates": true }]*/
`some untagged template string`;
Examples of correct code for the { "allowTaggedTemplates": true }
option:
/*eslint no-unused-expressions: ["error", { "allowTaggedTemplates": true }]*/
tag`some tagged template string`;
Source: http://eslint.org/docs/rules/
Read-only global 'process' should not be modified. Open
process = require('process')
- Read upRead up
- Exclude checks
Disallow assignment to native objects or read-only global variables (no-global-assign)
JavaScript environments contain a number of built-in global variables, such as window
in browsers and process
in Node.js. In almost all cases, you don't want to assign a value to these global variables as doing so could result in losing access to important functionality. For example, you probably don't want to do this in browser code:
window = {};
While examples such as window
are obvious, there are often hundreds of built-in global objects provided by JavaScript environments. It can be hard to know if you're assigning to a global variable or not.
Rule Details
This rule disallows modifications to read-only global variables.
ESLint has the capability to configure global variables as read-only.
- [Specifying Environments](../user-guide/configuring#specifying-environments)
- [Specifying Globals](../user-guide/configuring#specifying-globals)
Examples of incorrect code for this rule:
/*eslint no-global-assign: "error"*/
Object = null
undefined = 1
/*eslint no-global-assign: "error"*/
/*eslint-env browser*/
window = {}
length = 1
top = 1
/*eslint no-global-assign: "error"*/
/*globals a:false*/
a = 1
Examples of correct code for this rule:
/*eslint no-global-assign: "error"*/
a = 1
var b = 1
b = 2
/*eslint no-global-assign: "error"*/
/*eslint-env browser*/
onload = function() {}
/*eslint no-global-assign: "error"*/
/*globals a:true*/
a = 1
Options
This rule accepts an exceptions
option, which can be used to specify a list of builtins for which reassignments will be allowed:
{
"rules": {
"no-global-assign": ["error", {"exceptions": ["Object"]}]
}
}
When Not To Use It
If you are trying to override one of the native objects.
Related Rules
- [no-extend-native](no-extend-native.md)
- [no-redeclare](no-redeclare.md)
- [no-shadow](no-shadow.md) Source: http://eslint.org/docs/rules/
include
is used at the top level. Use inside class
or module
. Open
include LooseLeaf::TaskHelpers
- Read upRead up
- Exclude checks
This cop checks that include
, extend
and prepend
exists at
the top level.
Using these at the top level affects the behavior of Object
.
There will not be using include
, extend
and prepend
at
the top level. Let's use it inside class
or module
.
Example:
# bad
include M
class C
end
# bad
extend M
class C
end
# bad
prepend M
class C
end
# good
class C
include M
end
# good
class C
extend M
end
# good
class C
prepend M
end