Class: LintFu::Plugins::Rails::UnsafeFindChecker

Inherits:

Checker

Object
Checker
LintFu::Plugins::Rails::UnsafeFindChecker

show all

Defined in:: lib/lint_fu/plugins/rails/unsafe_find_checker.rb

Overview

Visit a Rails controller looking for ActiveRecord finders being called in a way that might allow an attacker to perform unauthorized operations on resources, e.g. creating, updating or deleting someone else’s records.

Constant Summary collapse

FINDER_REGEXP =

/^(find|first|all)(_or_initialize)?(_by_.*_id)?/

SAFE_INSTANCE_METHODS = TODO: make this tunable, also expose it to the user to make sure it’s appropriate!!

[:current_user, :current_account]

Constants inherited from Checker

Checker::SUPPRESSION_COMMENT

Instance Attribute Summary

Attributes inherited from Checker

#context, #file, #scan

Instance Method Summary collapse

#observe_call(sexp) ⇒ Object
sexp

s(:call, <target>, <method_name>, s(:arglist)).

Methods inherited from Checker

#initialize, #method_missing, #observe_class_begin, #observe_class_end

Constructor Details

This class inherits a constructor from LintFu::Checker

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class LintFu::Checker

Instance Method Details

#observe_call(sexp) ⇒ `Object`

sexp: s(:call, <target>, <method_name>, s(:arglist))

# File 'lib/lint_fu/plugins/rails/unsafe_find_checker.rb', line 64

def observe_call(sexp)
  super(sexp)
  check_suspicious_finder(sexp)
end