Class: Scanny::Checks::AccessControlCheck

Inherits:
Check
  • Object
show all
Defined in:
lib/scanny/checks/access_control_check.rb

Overview

Checks for use of “params” in parameters of certain methods that requires authorizaton checks.

Instance Method Summary collapse

Methods inherited from Check

#compiled_pattern, #issue, #strict?, #visit

Instance Method Details

#check(node) ⇒ Object



45
46
47
48
49
# File 'lib/scanny/checks/access_control_check.rb', line 45

def check(node)
  issue :medium,
    "Using \"params[:id]\" requires proper authorization check.",
    :cwe => 285
end

#patternObject



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# File 'lib/scanny/checks/access_control_check.rb', line 7

def pattern
  <<-EOT
    SendWithArguments<
      name      = :new | :create,
      arguments = ActualArguments<
        array = [
          HashLiteral<
            array = [
              any{odd},
              SendWithArguments<
                receiver  = Send<name = :params>,
                name      = :[],
                arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>
              >,
              any{even}
            ]
          >
        ]
      >
    >
    |
    SendWithArguments<
      name      = :delete | :destroy,
      arguments = ActualArguments<
        array = [
          any*,
          SendWithArguments<
            receiver  = Send<name = :params>,
            name      = :[],
            arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>
          >,
          any*
        ]
      >
    >
  EOT
end