tootsuite/mastodon

View on GitHub

Showing 223 of 231 total issues

CSRF vulnerability in OmniAuth's request phase
Open

    omniauth (1.9.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-9284

Criticality: High

URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

Solution: upgrade to >= 2.0.0

Block has too many lines. [464/55]
Open

Rails.application.routes.draw do
  root 'home#index'

  mount LetterOpenerWeb::Engine, at: 'letter_opener' if Rails.env.development?

Severity: Minor
Found in config/routes.rb by rubocop

This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.

You can set literals you want to fold with CountAsOne. Available are: 'array', 'hash', and 'heredoc'. Each literal will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods configuration is deprecated and only kept for backwards compatibility. Please use IgnoredMethods instead.

Example: CountAsOne: ['array', 'heredoc']

something do
  array = [         # +1
    1,
    2
  ]

  hash = {          # +3
    key: 'value'
  }

  msg = <

NOTE: This cop does not apply for Struct definitions.

Block has too many lines. [178/55]
Open

  namespace :api do
    # OEmbed
    get '/oembed', to: 'oembed#show', as: :oembed

    # JSON / REST API
Severity: Minor
Found in config/routes.rb by rubocop

This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.

You can set literals you want to fold with CountAsOne. Available are: 'array', 'hash', and 'heredoc'. Each literal will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods configuration is deprecated and only kept for backwards compatibility. Please use IgnoredMethods instead.

Example: CountAsOne: ['array', 'heredoc']

something do
  array = [         # +1
    1,
    2
  ]

  hash = {          # +3
    key: 'value'
  }

  msg = <

NOTE: This cop does not apply for Struct definitions.

Module has too many lines. [238/200]
Open

module LanguagesHelper
  ISO_639_1 = {
    aa: ['Afar', 'Afaraf'].freeze,
    ab: ['Abkhaz', 'аҧсуа бызшәа'].freeze,
    ae: ['Avestan', 'avesta'].freeze,
Severity: Minor
Found in app/helpers/languages_helper.rb by rubocop

This cop checks if the length a module exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable.

You can set literals you want to fold with CountAsOne. Available are: 'array', 'hash', and 'heredoc'. Each literal will be counted as one line regardless of its actual size.

Example: CountAsOne: ['array', 'heredoc']

module M
  ARRAY = [         # +1
    1,
    2
  ]

  HASH = {          # +3
    key: 'value'
  }

  MSG = <

Block has too many lines. [158/55]
Open

    namespace :v1 do
      resources :statuses, only: [:create, :show, :update, :destroy] do
        scope module: :statuses do
          resources :reblogged_by, controller: :reblogged_by_accounts, only: :index
          resources :favourited_by, controller: :favourited_by_accounts, only: :index
Severity: Minor
Found in config/routes.rb by rubocop

This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.

You can set literals you want to fold with CountAsOne. Available are: 'array', 'hash', and 'heredoc'. Each literal will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods configuration is deprecated and only kept for backwards compatibility. Please use IgnoredMethods instead.

Example: CountAsOne: ['array', 'heredoc']

something do
  array = [         # +1
    1,
    2
  ]

  hash = {          # +3
    key: 'value'
  }

  msg = <

NOTE: This cop does not apply for Struct definitions.

Block has too many lines. [133/55]
Open

  namespace :admin do
    get '/dashboard', to: 'dashboard#index'

    resources :domain_allows, only: [:new, :create, :show, :destroy]
    resources :domain_blocks, only: [:new, :create, :destroy, :update, :edit]
Severity: Minor
Found in config/routes.rb by rubocop

This cop checks if the length of a block exceeds some maximum value. Comment lines can optionally be ignored. The maximum allowed length is configurable. The cop can be configured to ignore blocks passed to certain methods.

You can set literals you want to fold with CountAsOne. Available are: 'array', 'hash', and 'heredoc'. Each literal will be counted as one line regardless of its actual size.

NOTE: The ExcludedMethods configuration is deprecated and only kept for backwards compatibility. Please use IgnoredMethods instead.

Example: CountAsOne: ['array', 'heredoc']

something do
  array = [         # +1
    1,
    2
  ]

  hash = {          # +3
    key: 'value'
  }

  msg = <

NOTE: This cop does not apply for Struct definitions.

Possible SQL injection
Open

                -- Of the MD5 hash of the data we documented
Severity: Minor
Found in lib/mastodon/snowflake.rb by brakeman

Injection is #1 on the 2013 OWASP Top Ten web security risks. SQL injection is when a user is able to manipulate a value which is used unsafely inside a SQL query. This can lead to data leaks, data loss, elevation of privilege, and other unpleasant outcomes.

Brakeman focuses on ActiveRecord methods dealing with building SQL statements.

A basic (Rails 2.x) example looks like this:

User.first(:conditions => "username = '#{params[:username]}'")

Brakeman would produce a warning like this:

Possible SQL injection near line 30: User.first(:conditions => ("username = '#{params[:username]}'"))

The safe way to do this query is to use a parameterized query:

User.first(:conditions => ["username = ?", params[:username]])

Brakeman also understands the new Rails 3.x way of doing things (and local variables and concatenation):

username = params[:user][:name].downcase
password = params[:user][:password]

User.first.where("username = '" + username + "' AND password = '" + password + "'")

This results in this kind of warning:

Possible SQL injection near line 37:
User.first.where((((("username = '" + params[:user][:name].downcase) + "' AND password = '") + params[:user][:password]) + "'"))

See the Ruby Security Guide for more information and Rails-SQLi.org for many examples of SQL injection in Rails.

Method has too many optional parameters. [4/3]
Open

  def descendants(limit, account = nil, max_child_id = nil, since_child_id = nil, depth = nil)
    find_statuses_from_tree_path(descendant_ids(limit, max_child_id, since_child_id, depth), account, promote: true)
  end

This cop checks for methods with too many parameters.

The maximum number of parameters is configurable. Keyword arguments can optionally be excluded from the total count, as they add less complexity than positional or optional parameters.

Example: Max: 3

# good
def foo(a, b, c = 1)
end

Example: Max: 2

# bad
def foo(a, b, c = 1)
end

Example: CountKeywordArgs: true (default)

# counts keyword args towards the maximum

# bad (assuming Max is 3)
def foo(a, b, c, d: 1)
end

# good (assuming Max is 3)
def foo(a, b, c: 1)
end

Example: CountKeywordArgs: false

# don't count keyword args towards the maximum

# good (assuming Max is 3)
def foo(a, b, c, d: 1)
end

This cop also checks for the maximum number of optional parameters. This can be configured using the MaxOptionalParameters config option.

Example: MaxOptionalParameters: 3 (default)

# good
def foo(a = 1, b = 2, c = 3)
end

Example: MaxOptionalParameters: 2

# bad
def foo(a = 1, b = 2, c = 3)
end

Avoid parameter lists longer than 5 parameters. [6/5]
Open

  def request_follow!(other_account, reblogs: nil, notify: nil, uri: nil, rate_limit: false, bypass_limit: false)

This cop checks for methods with too many parameters.

The maximum number of parameters is configurable. Keyword arguments can optionally be excluded from the total count, as they add less complexity than positional or optional parameters.

Example: Max: 3

# good
def foo(a, b, c = 1)
end

Example: Max: 2

# bad
def foo(a, b, c = 1)
end

Example: CountKeywordArgs: true (default)

# counts keyword args towards the maximum

# bad (assuming Max is 3)
def foo(a, b, c, d: 1)
end

# good (assuming Max is 3)
def foo(a, b, c: 1)
end

Example: CountKeywordArgs: false

# don't count keyword args towards the maximum

# good (assuming Max is 3)
def foo(a, b, c, d: 1)
end

This cop also checks for the maximum number of optional parameters. This can be configured using the MaxOptionalParameters config option.

Example: MaxOptionalParameters: 3 (default)

# good
def foo(a = 1, b = 2, c = 3)
end

Example: MaxOptionalParameters: 2

# bad
def foo(a = 1, b = 2, c = 3)
end

Avoid parameter lists longer than 5 parameters. [6/5]
Open

  def follow!(other_account, reblogs: nil, notify: nil, uri: nil, rate_limit: false, bypass_limit: false)

This cop checks for methods with too many parameters.

The maximum number of parameters is configurable. Keyword arguments can optionally be excluded from the total count, as they add less complexity than positional or optional parameters.

Example: Max: 3

# good
def foo(a, b, c = 1)
end

Example: Max: 2

# bad
def foo(a, b, c = 1)
end

Example: CountKeywordArgs: true (default)

# counts keyword args towards the maximum

# bad (assuming Max is 3)
def foo(a, b, c, d: 1)
end

# good (assuming Max is 3)
def foo(a, b, c: 1)
end

Example: CountKeywordArgs: false

# don't count keyword args towards the maximum

# good (assuming Max is 3)
def foo(a, b, c, d: 1)
end

This cop also checks for the maximum number of optional parameters. This can be configured using the MaxOptionalParameters config option.

Example: MaxOptionalParameters: 3 (default)

# good
def foo(a = 1, b = 2, c = 3)
end

Example: MaxOptionalParameters: 2

# bad
def foo(a = 1, b = 2, c = 3)
end

Combine this loop with the previous loop.
Open

    custom_emojis.each do |custom_emoji|
      custom_emoji.update(visible_in_picker: true)
      log_action :update, custom_emoji
    end

This cop checks for places where multiple consecutive loops over the same data can be combined into a single loop. It is very likely that combining them will make the code more efficient and more concise.

It is marked as unsafe, because the first loop might modify a state that the second loop depends on; these two aren't combinable.

Example:

# bad
def method
  items.each do |item|
    do_something(item)
  end

  items.each do |item|
    do_something_else(item)
  end
end

# good
def method
  items.each do |item|
    do_something(item)
    do_something_else(item)
  end
end

# bad
def method
  for item in items do
    do_something(item)
  end

  for item in items do
    do_something_else(item)
  end
end

# good
def method
  for item in items do
    do_something(item)
    do_something_else(item)
  end
end

# good
def method
  each_slice(2) { |slice| do_something(slice) }
  each_slice(3) { |slice| do_something(slice) }
end

Combine this loop with the previous loop.
Open

    ip_blocks.each do |ip_block|
      ip_block.destroy
      log_action :destroy, ip_block
    end
Severity: Minor
Found in app/models/form/ip_block_batch.rb by rubocop

This cop checks for places where multiple consecutive loops over the same data can be combined into a single loop. It is very likely that combining them will make the code more efficient and more concise.

It is marked as unsafe, because the first loop might modify a state that the second loop depends on; these two aren't combinable.

Example:

# bad
def method
  items.each do |item|
    do_something(item)
  end

  items.each do |item|
    do_something_else(item)
  end
end

# good
def method
  items.each do |item|
    do_something(item)
    do_something_else(item)
  end
end

# bad
def method
  for item in items do
    do_something(item)
  end

  for item in items do
    do_something_else(item)
  end
end

# good
def method
  for item in items do
    do_something(item)
    do_something_else(item)
  end
end

# good
def method
  each_slice(2) { |slice| do_something(slice) }
  each_slice(3) { |slice| do_something(slice) }
end

Prefer string interpolation to string concatenation.
Open

    download_to_tar(tar, account.avatar, 'avatar' + File.extname(account.avatar.path)) if account.avatar.exists?
Severity: Minor
Found in app/services/backup_service.rb by rubocop

This cop checks for places where string concatenation can be replaced with string interpolation.

The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.

NOTE: When concatenation between two strings is broken over multiple lines, this cop does not register an offense; instead, Style/LineEndConcatenation will pick up the offense if enabled.

Example:

# bad
email_with_name = user.name + ' '

# good
email_with_name = "#{user.name} "
email_with_name = format('%s ', user.name, user.email)

# accepted, line-end concatenation
name = 'First' +
  'Last'

Use keyword arguments when defining method with boolean argument.
Open

  def process_response(response, terminal = false)

This cop checks for places where keyword arguments can be used instead of boolean arguments when defining methods. respond_to_missing? method is allowed by default. These are customizable with AllowedMethods option.

Example:

# bad
def some_method(bar = false)
  puts bar
end

# bad - common hack before keyword args were introduced
def some_method(options = {})
  bar = options.fetch(:bar, false)
  puts bar
end

# good
def some_method(bar: false)
  puts bar
end

Example: AllowedMethods: ['some_method']

# good
def some_method(bar = false)
  puts bar
end

Use keyword arguments when defining method with boolean argument.
Open

  def connect(socket_class, host, port, nodelay = false)
Severity: Minor
Found in app/lib/request.rb by rubocop

This cop checks for places where keyword arguments can be used instead of boolean arguments when defining methods. respond_to_missing? method is allowed by default. These are customizable with AllowedMethods option.

Example:

# bad
def some_method(bar = false)
  puts bar
end

# bad - common hack before keyword args were introduced
def some_method(options = {})
  bar = options.fetch(:bar, false)
  puts bar
end

# good
def some_method(bar: false)
  puts bar
end

Example: AllowedMethods: ['some_method']

# good
def some_method(bar = false)
  puts bar
end

Prefer single-quoted strings when you don't need string interpolation or special symbols.
Open

    if @domain.end_with? ".onion"
Severity: Minor
Found in app/lib/webfinger.rb by rubocop

Checks if uses of quotes match the configured preference.

Example: EnforcedStyle: single_quotes (default)

# bad
"No special symbols"
"No string interpolation"
"Just text"

# good
'No special symbols'
'No string interpolation'
'Just text'
"Wait! What's #{this}!"

Example: EnforcedStyle: double_quotes

# bad
'Just some text'
'No special chars or interpolation'

# good
"Just some text"
"No special chars or interpolation"
"Every string in #{project} uses double_quotes"

Consider using explicit block argument in the surrounding method's signature over yield.
Open

    I18n.with_locale(account.user_locale || I18n.default_locale) do
      yield
    end
Severity: Minor
Found in app/mailers/application_mailer.rb by rubocop

This cop enforces the use of explicit block argument to avoid writing block literal that just passes its arguments to another block.

NOTE: This cop only registers an offense if the block args match the yield args exactly.

Example:

# bad
def with_tmp_dir
  Dir.mktmpdir do |tmp_dir|
    Dir.chdir(tmp_dir) { |dir| yield dir } # block just passes arguments
  end
end

# bad
def nine_times
  9.times { yield }
end

# good
def with_tmp_dir(&block)
  Dir.mktmpdir do |tmp_dir|
    Dir.chdir(tmp_dir, &block)
  end
end

with_tmp_dir do |dir|
  puts "dir is accessible as a parameter and pwd is set: #{dir}"
end

# good
def nine_times(&block)
  9.times(&block)
end

Prefer string interpolation to string concatenation.
Open

      blocked_domains = Regexp.new('\\.?' + DomainBlock.where(severity: 1).pluck(:domain).join('|') + '$')
Severity: Minor
Found in lib/mastodon/domains_cli.rb by rubocop

This cop checks for places where string concatenation can be replaced with string interpolation.

The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.

NOTE: When concatenation between two strings is broken over multiple lines, this cop does not register an offense; instead, Style/LineEndConcatenation will pick up the offense if enabled.

Example:

# bad
email_with_name = user.name + ' '

# good
email_with_name = "#{user.name} "
email_with_name = format('%s ', user.name, user.email)

# accepted, line-end concatenation
name = 'First' +
  'Last'

Prefer string interpolation to string concatenation.
Open

  port     = ENV.fetch(prefix + 'REDIS_PORT') { 6379 if defaults }
Severity: Minor
Found in lib/mastodon/redis_config.rb by rubocop

This cop checks for places where string concatenation can be replaced with string interpolation.

The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.

NOTE: When concatenation between two strings is broken over multiple lines, this cop does not register an offense; instead, Style/LineEndConcatenation will pick up the offense if enabled.

Example:

# bad
email_with_name = user.name + ' '

# good
email_with_name = "#{user.name} "
email_with_name = format('%s ', user.name, user.email)

# accepted, line-end concatenation
name = 'First' +
  'Last'

Prefer string interpolation to string concatenation.
Open

        attachment.instance.file_file_name    = File.basename(attachment.instance.file_file_name, '.*') + '.mp4'
Severity: Minor
Found in lib/paperclip/gif_transcoder.rb by rubocop

This cop checks for places where string concatenation can be replaced with string interpolation.

The cop can autocorrect simple cases but will skip autocorrecting more complex cases where the resulting code would be harder to read. In those cases, it might be useful to extract statements to local variables or methods which you can then interpolate in a string.

NOTE: When concatenation between two strings is broken over multiple lines, this cop does not register an offense; instead, Style/LineEndConcatenation will pick up the offense if enabled.

Example:

# bad
email_with_name = user.name + ' '

# good
email_with_name = "#{user.name} "
email_with_name = format('%s ', user.name, user.email)

# accepted, line-end concatenation
name = 'First' +
  'Last'
Severity
Category
Status
Source
Language