Showing 943 of 943 total issues
ruby-ffi DDL loading issue on Windows OS Open
ffi (1.9.14)- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
File Content Disclosure in Action View Open
actionview (4.2.7.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.2)- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Potential remote code execution of user-provided local names in ActionView Open
actionview (4.2.7.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8163
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
Solution: upgrade to >= 4.2.11.2
Regular Expression Denial of Service in websocket-extensions (RubyGem) Open
websocket-extensions (0.1.2)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7663
Criticality: High
URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
Solution: upgrade to >= 0.1.5
Possible information leak / session hijack vulnerability Open
rack (1.6.4)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Path Traversal in Sprockets Open
sprockets (2.12.4)- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Possible XSS vulnerability in Rack Open
rack (1.6.4)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Denial of Service Vulnerability in Action View Open
actionview (4.2.7.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
rack-protection gem timing attack vulnerability when validating CSRF token Open
rack-protection (1.5.3)- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000119
Criticality: Medium
URL: https://github.com/sinatra/rack-protection/pull/98
Solution: upgrade to ~> 1.5.5, >= 2.0.0
Broken Access Control vulnerability in Active Job Open
activejob (4.2.7.1)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1
XSS vulnerability in rails-html-sanitizer Open
rails-html-sanitizer (1.0.3)- Read upRead up
- Exclude checks
Advisory: CVE-2018-3741
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Solution: upgrade to >= 1.0.4
Improper Certificate Validation in EM-HTTP-Request Open
em-http-request (1.1.5)- Read upRead up
- Exclude checks
Advisory: CVE-2020-13482
Criticality: High
URL: https://github.com/advisories/GHSA-q27f-v3r6-9v77
Solution: upgrade to >= 1.1.6
Path traversal is possible via backslash characters on Windows. Open
rack-protection (1.5.3)- Read upRead up
- Exclude checks
Advisory: CVE-2018-7212
URL: https://github.com/sinatra/sinatra/pull/1379
Solution: upgrade to >= 2.0.1, ~> 1.5.4
Method <=> has a Cognitive Complexity of 8 (exceeds 5 allowed). Consider refactoring. Open
def <=> other
if (@sym == :what_they_do && other.sym == :how_they_help) || (@sym == :what_they_do && other.sym == :who_they_help) ||
(@sym == :who_they_help && other.sym == :how_they_help)
-1
elsif @sym == other.sym- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Consider simplifying this complex logical expression. Open
if (@sym == :what_they_do && other.sym == :how_they_help) || (@sym == :what_they_do && other.sym == :who_they_help) ||
(@sym == :who_they_help && other.sym == :how_they_help)
-1
elsif @sym == other.sym
0Method initialize has 5 arguments (exceeds 4 allowed). Consider refactoring. Open
def initialize(listener, params, model_klass, user_klass, mailer_klass)Method with has 5 arguments (exceeds 4 allowed). Consider refactoring. Open
def self.with(listener, params, model_klass = ProposedOrganisationEdit, user_klass = User, mailer_klass = AdminMailer)Method create_and_validate has a Cognitive Complexity of 7 (exceeds 5 allowed). Consider refactoring. Open
def self.create_and_validate(attributes)
# create!(attributes.select{|k,v| !v.nil?})
create!(attributes.each { |k, v| attributes[k] =v.nil? ? 'No information recorded' : (v.empty? ? 'No information recorded' : v) })
end- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Potentially unsafe model attribute in link_to href Open
<%= link_to @proposed_organisation_edit.website, @proposed_organisation_edit.website, {:target => '_blank'} if @proposed_organisation_edit.website.present?%>- Read upRead up
- Exclude checks
Even though Rails will escape the link provided to link_to, values starting with javascript: or data: are unescaped and dangerous.
Brakeman will warn on if user values are used to provide the HREF value in link_to or if they are interpolated at the beginning of a string.
The --url-safe-methods option can be used to specify methods which make URLs safe.
See here for more details.