Showing 150 of 150 total issues
Denial of service or RCE from libxml2 and libxslt Open
nokogiri (1.6.7.2)- Read upRead up
- Exclude checks
Advisory: CVE-2015-8806
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1473
Solution: upgrade to >= 1.6.8
Unsafe Query Generation Risk in Active Record Open
activerecord (4.2.5)- Read upRead up
- Exclude checks
Advisory: CVE-2016-6317
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
Solution: upgrade to >= 4.2.7.1
ruby-ffi DDL loading issue on Windows OS Open
ffi (1.9.10)- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
Regular Expression Denial of Service in websocket-extensions (RubyGem) Open
websocket-extensions (0.1.2)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7663
Criticality: High
URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
Solution: upgrade to >= 0.1.5
Potentially dangerous key allowed for mass assignment Open
params.require(:shift).permit(:event_id, :role, :start_time, :end_time,- Read upRead up
- Exclude checks
Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
Example:
User.new(params[:user])Unfortunately, if there is a user field called admin which controls administrator access, now any user can make themselves an administrator.
attr_accessible and attr_protected can be used to limit mass assignment. However, Brakeman will warn unless attr_accessible is used, or mass assignment is completely disabled.
There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs, such as the example above. This results in a warning like
Unprotected mass assignment near line 61: User.new(params[:user])The other warning is raised whenever a model is found which does not use attr_accessible. This produces generic warnings like
Mass assignment is not restricted using attr_accessiblewith a list of affected models.
In Rails 3.1 and newer, mass assignment can easily be disabled:
config.active_record.whitelist_attributes = trueUnfortunately, it can also easily be bypassed:
User.new(params[:user], :without_protection => true)Brakeman will warn on uses of without_protection.
Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2 Open
loofah (2.0.3)- Read upRead up
- Exclude checks
Rails 4.2.5 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.2.5.1 Open
rails (4.2.5)- Read upRead up
- Exclude checks
rails-html-sanitizer 1.0.3 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4 Open
rails-html-sanitizer (1.0.3)- Read upRead up
- Exclude checks
Rails 4.2.5 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1 Open
rails (4.2.5)- Read upRead up
- Exclude checks
Rails 4.2.5 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1 Open
rails (4.2.5)- Read upRead up
- Exclude checks
Method transfer has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def transfer
if params[:login].nil? or params[:login].empty?
flash.alert = "Please specify the new event creator's email/username"
else
@user = User.find_first_by_auth_conditions params- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method notify_users has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def notify_users
unless @shift.nil?
User.users_with_skills(@shift.skills).each do |user|
if not user.notified_about? @shift and @shift.event.is_future?- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method update has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def update
edit # Call the edit method and use it to set the controller variables
if can? :update, @event
old_date = @event.event_date- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method notify_users has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
def notify_users
@user = current_user
unless @user.nil?
Shift.shifts_with_skills(@user.skills).each do |shift|
- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Nested attributes rejection proc bypass in Active Record Open
activerecord (4.2.5)- Read upRead up
- Exclude checks
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Rule doesn't have all its properties in alphabetical order. Open
.logo {- Exclude checks
Use of !important Open
color: black !important;- Exclude checks
Use of !important Open
border: rgba(0, 0, 0, 0.1) 1px solid !important;- Exclude checks
Element (div.content) is overqualified, just use .content without element name. Open
div.content {- Exclude checks
Rule doesn't have all its properties in alphabetical order. Open
.modify-icon {- Exclude checks