Class: RuboCop::Cop::GitlabSecurity::DeepMunge

Inherits:
Base
  • Object
show all
Defined in:
lib/rubocop/cop/gitlab_security/deep_munge.rb

Overview

Checks for disabling the deep munge security control.

Disabling this security setting can leave the application open to unsafe query generation

See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Examples:


# bad
config.action_dispatch.perform_deep_munge = false

Constant Summary collapse

MSG =
'Never disable the deep munge security option.'

Instance Method Summary collapse

Instance Method Details

#disable_deep_munge?(node) ⇒ Object



21
22
23
24
25
26
# File 'lib/rubocop/cop/gitlab_security/deep_munge.rb', line 21

def_node_matcher :disable_deep_munge?, <<-PATTERN
  (send
    (send (send nil? :config) :action_dispatch) :perform_deep_munge=
      { (false) (send true :!) }
  )
PATTERN

#on_send(node) ⇒ Object



28
29
30
31
32
# File 'lib/rubocop/cop/gitlab_security/deep_munge.rb', line 28

def on_send(node)
  return unless disable_deep_munge?(node)

  add_offense(node.loc.selector)
end