Class: Brakeman::CheckDefaultRoutes

Inherits:
BaseCheck show all
Defined in:
lib/brakeman/checks/check_default_routes.rb

Overview

Checks if default routes are allowed in routes.rb

Constant Summary

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_ENV, Util::REQUEST_PARAMETERS, Util::REQUEST_PARAMS, Util::SESSION

Constants inherited from SexpProcessor

SexpProcessor::VERSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Attributes inherited from SexpProcessor

#context, #env, #expected

Instance Method Summary collapse

Methods inherited from BaseCheck

#add_result, #initialize, #process_call, #process_cookies, #process_default, #process_if, #process_params

Methods included from Util

#array?, #call?, #camelize, #contains_class?, #context_for, #cookies?, #false?, #file_by_name, #file_for, #hash?, #hash_access, #hash_insert, #hash_iterate, #integer?, #node_type?, #number?, #params?, #pluralize, #regexp?, #request_env?, #request_value?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #table_to_csv, #true?, #truncate_table, #underscore

Methods included from ProcessorHelper

#class_name, #process_all, #process_module

Methods inherited from SexpProcessor

#error_handler, #in_context, #initialize, #process, #process_dummy, #scope

Constructor Details

This class inherits a constructor from Brakeman::BaseCheck

Instance Method Details

#run_checkObject

Checks for :allow_all_actions globally and for individual routes if it is not enabled globally.



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# File 'lib/brakeman/checks/check_default_routes.rb', line 11

def run_check
  if tracker.routes[:allow_all_actions]
    #Default routes are enabled globally
    warn :warning_type => "Default Routes", 
      :message => "All public methods in controllers are available as actions in routes.rb",
      :line => tracker.routes[:allow_all_actions].line, 
      :confidence => CONFIDENCE[:high],
      :file => "#{tracker.options[:app_path]}/config/routes.rb"
  else #Report each controller separately
    Brakeman.debug "Checking each controller for default routes"

    tracker.routes.each do |name, actions|
      if actions.is_a? Array and actions[0] == :allow_all_actions
        warn :controller => name,
          :warning_type => "Default Routes", 
          :message => "Any public method in #{name} can be used as an action.",
          :line => actions[1],
          :confidence => CONFIDENCE[:med],
          :file => "#{tracker.options[:app_path]}/config/routes.rb"
      end
    end
  end
end