pxlpnk · September 24, 2018 07:11
diff --git a/rubocop output b/rubocop output
 $ bundle exec rubocop --require rubocop-gitlab-security
 Inspecting 121 files
 .....CC.....CC..C..C....................C................................................................................

 Offenses:

 app/controllers/api/v1/mobile_controller.rb:11:44: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
      respond_with model.find(params[:id]).to_json
                                           ^^^^^^^
 app/controllers/api/v1/mobile_controller.rb:18:30: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
      respond_with model.all.to_json
                             ^^^^^^^
 app/controllers/api/v1/mobile_controller.rb:20:24: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
      respond_with nil.to_json
                       ^^^^^^^
 app/controllers/api/v1/users_controller.rb:14:24: C: GitlabSecurity/JsonSerialization: Don't use as_json without specifying only
    respond_with @user.as_json
                       ^^^^^^^
 app/controllers/password_resets_controller.rb:6:20: C: Security/MarshalLoad: Avoid using Marshal.load.
    user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?
                   ^^^^
 app/controllers/pay_controller.rb:24:57: C: GitlabSecurity/JsonSerialization: Don't use as_json without specifying only
     format.json { render json: {user: current_user.pay.as_json} }
                                                        ^^^^^^^
 app/controllers/schedule_controller.rb:37:39: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
       format.json { render json: jfs.to_json }
                                      ^^^^^^^
 app/controllers/users_controller.rb:29:17: C: GitlabSecurity/SqlInjection: Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.
        If this warning is in error you can white-list the line with #rubocop:disable GitlabSecurity/SqlInjection
    user = User.where("id = '#{params[:user][:id]}'")[0]
                ^^^^^
 app/models/benefits.rb:15:33: C: GitlabSecurity/SystemCommandInjection: Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.
        If this warning is in error you can white-list the line with #rubocop:disable GitLabSecurity/SystemCommandInjection
      silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}") }
                                ^^^^^^

 121 files inspected, 9 offenses detected
	$ bundle exec rubocop --require rubocop-gitlab-security
	Inspecting 121 files
	.....CC.....CC..C..C....................C................................................................................

	Offenses:

	app/controllers/api/v1/mobile_controller.rb:11:44: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
	respond_with model.find(params[:id]).to_json
	^^^^^^^
	app/controllers/api/v1/mobile_controller.rb:18:30: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
	respond_with model.all.to_json
	^^^^^^^
	app/controllers/api/v1/mobile_controller.rb:20:24: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
	respond_with nil.to_json
	^^^^^^^
	app/controllers/api/v1/users_controller.rb:14:24: C: GitlabSecurity/JsonSerialization: Don't use as_json without specifying only
	respond_with @user.as_json
	^^^^^^^
	app/controllers/password_resets_controller.rb:6:20: C: Security/MarshalLoad: Avoid using Marshal.load.
	user = Marshal.load(Base64.decode64(params[:user])) unless params[:user].nil?
	^^^^
	app/controllers/pay_controller.rb:24:57: C: GitlabSecurity/JsonSerialization: Don't use as_json without specifying only
	format.json { render json: {user: current_user.pay.as_json} }
	^^^^^^^
	app/controllers/schedule_controller.rb:37:39: C: GitlabSecurity/JsonSerialization: Don't use to_json without specifying only
	format.json { render json: jfs.to_json }
	^^^^^^^
	app/controllers/users_controller.rb:29:17: C: GitlabSecurity/SqlInjection: Parameterize all user-input passed to where(), do not directly embed user input in SQL queries.
	If this warning is in error you can white-list the line with #rubocop:disable GitlabSecurity/SqlInjection
	user = User.where("id = '#{params[:user][:id]}'")[0]
	^^^^^
	app/models/benefits.rb:15:33: C: GitlabSecurity/SystemCommandInjection: Do not include variables in the command name for system(). Use parameters "system(cmd, params)" or exec() instead.
	If this warning is in error you can white-list the line with #rubocop:disable GitLabSecurity/SystemCommandInjection
	silence_streams(STDERR) { system("cp #{full_file_name} #{data_path}/bak#{Time.zone.now.to_i}_#{file.original_filename}") }
	^^^^^^

	121 files inspected, 9 offenses detected