Sign upLogin

rike422/loose-leaf

View on GitHub
Star

Showing 119 of 119 total issues

Possible shell escape sequence injection vulnerability in Rack
Open

    rack (2.0.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-30123

Criticality: Critical

URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Path Traversal in Sprockets
Open

    sprockets (3.7.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3760

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k

Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

Possible information leak / session hijack vulnerability
Open

    rack (2.0.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16782

Criticality: Medium

URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Solution: upgrade to ~> 1.6.12, >= 2.0.8

XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3741

URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Solution: upgrade to >= 1.0.4

Possible arbitrary path traversal and file access via yard server
Open

    yard (0.9.5)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory:

URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr

Solution: upgrade to >= 0.9.20

Potential arbitrary file read vulnerability in yard server
Open

    yard (0.9.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-17042

Criticality: High

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-17042

Solution: upgrade to >= 0.9.11

Denial of Service Vulnerability in Action View
Open

    actionview (5.0.0.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5419

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

ruby-ffi DDL loading issue on Windows OS
Open

    ffi (1.9.14)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000201

Criticality: High

URL: https://github.com/ffi/ffi/releases/tag/1.9.24

Solution: upgrade to >= 1.9.24

Denial of service via multipart parsing in Rack
Open

    rack (2.0.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44572

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Arbitrary path traversal and file access via yard server
Open

    yard (0.9.5)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-1020001

Criticality: High

URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr

Solution: upgrade to >= 0.9.20

Method symbolize_keys has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring.
Open

    def symbolize_keys(hash)
      hash.each_with_object({}) do |(key, value), new_hash|
        new_key = key.is_a?(String) ? key.to_sym : key
        new_value = value.is_a?(Hash) ? symbolize_keys(value) : value
        new_hash[new_key] = new_value
Severity: Minor
Found in rakelib/task_helpers.rb - About 35 mins to fix

Cognitive Complexity

Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

A method's cognitive complexity is based on a few simple rules:

  • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
  • Code is considered more complex for each "break in the linear flow of the code"
  • Code is considered more complex when "flow breaking structures are nested"

Further reading

rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Read more: https://github.com/flavorjones/loofah/issues/144

'protect_from_forgery' should be called in LooseLeaf::ApplicationController
Open

  class ApplicationController < ActionController::Base
Severity: Critical
Found in app/controllers/loose_leaf/application_controller.rb by brakeman

Cross-site request forgery is #5 on the OWASP Top Ten. CSRF allows an attacker to perform actions on a website as if they are an authenticated user.

This warning is raised when no call to protect_from_forgery is found in ApplicationController. This method prevents CSRF.

For Rails 4 applications, it is recommended that you use protect_from_forgery :with => :exception. This code is inserted into newly generated applications. The default is to nil out the session object, which has been a source of many CSRF bypasses due to session memoization.

See the Ruby Security Guide for details.

It's not necessary to initialize 'config' to undefined.
Open

let config = undefined
Severity: Minor
Found in client/webpack.config.js by eslint

Disallow Initializing to undefined (no-undef-init)

In JavaScript, a variable that is declared and not initialized to any value automatically gets the value of undefined. For example:

var foo;

console.log(foo === undefined);     // true

It's therefore unnecessary to initialize a variable to undefined, such as:

var foo = undefined;

It's considered a best practice to avoid initializing variables to undefined.

Rule Details

This rule aims to eliminate variable declarations that initialize to undefined.

Examples of incorrect code for this rule:

/*eslint no-undef-init: "error"*/
/*eslint-env es6*/

var foo = undefined;
let bar = undefined;

Examples of correct code for this rule:

/*eslint no-undef-init: "error"*/
/*eslint-env es6*/

var foo;
let bar;
const baz = undefined;

When Not To Use It

There is one situation where initializing to undefined behaves differently than omitting the initialization, and that's when a var declaration occurs inside of a loop. For example:

Example of incorrect code for this rule:

for (i = 0; i < 10; i++) {
    var x = undefined;
    console.log(x);
    x = i;
}

In this case, the var x is hoisted out of the loop, effectively creating:

var x;

for (i = 0; i < 10; i++) {
    x = undefined;
    console.log(x);
    x = i;
}

If you were to remove the initialization, then the behavior of the loop changes:

for (i = 0; i < 10; i++) {
    var x;
    console.log(x);
    x = i;
}

This code is equivalent to:

var x;

for (i = 0; i < 10; i++) {
    console.log(x);
    x = i;
}

This produces a different outcome than defining var x = undefined in the loop, as x is no longer reset to undefined each time through the loop.

If you're using such an initialization inside of a loop, then you should disable this rule.

Example of correct code for this rule, because it is disabled on a specific line:

/*eslint no-undef-init: "error"*/

for (i = 0; i < 10; i++) {
    var x = undefined; // eslint-disable-line no-undef-init
    console.log(x);
    x = i;
}

Related Rules

It's not necessary to initialize 'config' to undefined.
Open

let config = undefined
Severity: Minor
Found in client/webpack.config.rails.js by eslint

Disallow Initializing to undefined (no-undef-init)

In JavaScript, a variable that is declared and not initialized to any value automatically gets the value of undefined. For example:

var foo;

console.log(foo === undefined);     // true

It's therefore unnecessary to initialize a variable to undefined, such as:

var foo = undefined;

It's considered a best practice to avoid initializing variables to undefined.

Rule Details

This rule aims to eliminate variable declarations that initialize to undefined.

Examples of incorrect code for this rule:

/*eslint no-undef-init: "error"*/
/*eslint-env es6*/

var foo = undefined;
let bar = undefined;

Examples of correct code for this rule:

/*eslint no-undef-init: "error"*/
/*eslint-env es6*/

var foo;
let bar;
const baz = undefined;

When Not To Use It

There is one situation where initializing to undefined behaves differently than omitting the initialization, and that's when a var declaration occurs inside of a loop. For example:

Example of incorrect code for this rule:

for (i = 0; i < 10; i++) {
    var x = undefined;
    console.log(x);
    x = i;
}

In this case, the var x is hoisted out of the loop, effectively creating:

var x;

for (i = 0; i < 10; i++) {
    x = undefined;
    console.log(x);
    x = i;
}

If you were to remove the initialization, then the behavior of the loop changes:

for (i = 0; i < 10; i++) {
    var x;
    console.log(x);
    x = i;
}

This code is equivalent to:

var x;

for (i = 0; i < 10; i++) {
    console.log(x);
    x = i;
}

This produces a different outcome than defining var x = undefined in the loop, as x is no longer reset to undefined each time through the loop.

If you're using such an initialization inside of a loop, then you should disable this rule.

Example of correct code for this rule, because it is disabled on a specific line:

/*eslint no-undef-init: "error"*/

for (i = 0; i < 10; i++) {
    var x = undefined; // eslint-disable-line no-undef-init
    console.log(x);
    x = i;
}

Related Rules

Avoid when branches without a body.
Open

  when 'patch'
Severity: Minor
Found in rakelib/release.rake by rubocop

This cop checks for the presence of when branches without a body.

Example:

# bad

case foo
when bar then 1
when baz then # nothing
end

Example:

# good

case foo
when bar then 1
when baz then 2
end

Expected an assignment or function call and instead saw an expression.
Open

    true
Severity: Minor
Found in client/src/loose-leaf/attribute-cable.js by eslint

Disallow Unused Expressions (no-unused-expressions)

An unused expression which has no effect on the state of the program indicates a logic error.

For example, n + 1; is not a syntax error, but it might be a typing mistake where a programmer meant an assignment statement n += 1; instead.

Rule Details

This rule aims to eliminate unused expressions which have no effect on the state of the program.

This rule does not apply to function calls or constructor calls with the new operator, because they could have side effects on the state of the program.

var i = 0;
function increment() { i += 1; }
increment(); // return value is unused, but i changed as a side effect

var nThings = 0;
function Thing() { nThings += 1; }
new Thing(); // constructed object is unused, but nThings changed as a side effect

This rule does not apply to directives (which are in the form of literal string expressions such as "use strict"; at the beginning of a script, module, or function).

Sequence expressions (those using a comma, such as a = 1, b = 2) are always considered unused unless their return value is assigned or used in a condition evaluation, or a function call is made with the sequence expression value.

Options

This rule, in its default state, does not require any arguments. If you would like to enable one or more of the following you may pass an object with the options set as follows:

  • allowShortCircuit set to true will allow you to use short circuit evaluations in your expressions (Default: false).
  • allowTernary set to true will enable you to use ternary operators in your expressions similarly to short circuit evaluations (Default: false).
  • allowTaggedTemplates set to true will enable you to use tagged template literals in your expressions (Default: false).

These options allow unused expressions only if all of the code paths either directly change the state (for example, assignment statement) or could have side effects (for example, function call).

Examples of incorrect code for the default { "allowShortCircuit": false, "allowTernary": false } options:

/*eslint no-unused-expressions: "error"*/

0

if(0) 0

{0}

f(0), {}

a && b()

a, b()

c = a, b;

a() && function namedFunctionInExpressionContext () {f();}

(function anIncompleteIIFE () {});

injectGlobal`body{ color: red; }`

Note that one or more string expression statements (with or without semi-colons) will only be considered as unused if they are not in the beginning of a script, module, or function (alone and uninterrupted by other statements). Otherwise, they will be treated as part of a "directive prologue", a section potentially usable by JavaScript engines. This includes "strict mode" directives.

"use strict";
"use asm"
"use stricter";
"use babel"
"any other strings like this in the prologue";

Examples of correct code for the default { "allowShortCircuit": false, "allowTernary": false } options:

/*eslint no-unused-expressions: "error"*/

{} // In this context, this is a block statement, not an object literal

{myLabel: someVar} // In this context, this is a block statement with a label and expression, not an object literal

function namedFunctionDeclaration () {}

(function aGenuineIIFE () {}());

f()

a = 0

new C

delete a.b

void a

allowShortCircuit

Examples of incorrect code for the { "allowShortCircuit": true } option:

/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true }]*/

a || b

Examples of correct code for the { "allowShortCircuit": true } option:

/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true }]*/

a && b()
a() || (b = c)

allowTernary

Examples of incorrect code for the { "allowTernary": true } option:

/*eslint no-unused-expressions: ["error", { "allowTernary": true }]*/

a ? b : 0
a ? b : c()

Examples of correct code for the { "allowTernary": true } option:

/*eslint no-unused-expressions: ["error", { "allowTernary": true }]*/

a ? b() : c()
a ? (b = c) : d()

allowShortCircuit and allowTernary

Examples of correct code for the { "allowShortCircuit": true, "allowTernary": true } options:

/*eslint no-unused-expressions: ["error", { "allowShortCircuit": true, "allowTernary": true }]*/

a ? b() || (c = d) : e()

allowTaggedTemplates

Examples of incorrect code for the { "allowTaggedTemplates": true } option:

/*eslint no-unused-expressions: ["error", { "allowTaggedTemplates": true }]*/

`some untagged template string`;

Examples of correct code for the { "allowTaggedTemplates": true } option:

/*eslint no-unused-expressions: ["error", { "allowTaggedTemplates": true }]*/

tag`some tagged template string`;

Source: http://eslint.org/docs/rules/

Read-only global 'process' should not be modified.
Open

process = require('process')
Severity: Minor
Found in client/webpack.config.rails.js by eslint

Disallow assignment to native objects or read-only global variables (no-global-assign)

JavaScript environments contain a number of built-in global variables, such as window in browsers and process in Node.js. In almost all cases, you don't want to assign a value to these global variables as doing so could result in losing access to important functionality. For example, you probably don't want to do this in browser code:

window = {};

While examples such as window are obvious, there are often hundreds of built-in global objects provided by JavaScript environments. It can be hard to know if you're assigning to a global variable or not.

Rule Details

This rule disallows modifications to read-only global variables.

ESLint has the capability to configure global variables as read-only.

  • [Specifying Environments](../user-guide/configuring#specifying-environments)
  • [Specifying Globals](../user-guide/configuring#specifying-globals)

Examples of incorrect code for this rule:

/*eslint no-global-assign: "error"*/

Object = null
undefined = 1
/*eslint no-global-assign: "error"*/
/*eslint-env browser*/

window = {}
length = 1
top = 1
/*eslint no-global-assign: "error"*/
/*globals a:false*/

a = 1

Examples of correct code for this rule:

/*eslint no-global-assign: "error"*/

a = 1
var b = 1
b = 2
/*eslint no-global-assign: "error"*/
/*eslint-env browser*/

onload = function() {}
/*eslint no-global-assign: "error"*/
/*globals a:true*/

a = 1

Options

This rule accepts an exceptions option, which can be used to specify a list of builtins for which reassignments will be allowed:

{
    "rules": {
        "no-global-assign": ["error", {"exceptions": ["Object"]}]
    }
}

When Not To Use It

If you are trying to override one of the native objects.

Related Rules

include is used at the top level. Use inside class or module.
Open

include LooseLeaf::TaskHelpers
Severity: Minor
Found in rakelib/release.rake by rubocop

This cop checks that include, extend and prepend exists at the top level. Using these at the top level affects the behavior of Object. There will not be using include, extend and prepend at the top level. Let's use it inside class or module.

Example:

# bad
include M

class C
end

# bad
extend M

class C
end

# bad
prepend M

class C
end

# good
class C
  include M
end

# good
class C
  extend M
end

# good
class C
  prepend M
end
Severity
Category
Status
Source
Language