Class: Scanny::Checks::AccessControlCheck
- Defined in:
- lib/scanny/checks/access_control_check.rb
Overview
Checks for use of “params” in parameters of certain methods that requires authorizaton checks.
Instance Method Summary collapse
Methods inherited from Check
#compiled_pattern, #issue, #strict?, #visit
Instance Method Details
#check(node) ⇒ Object
45 46 47 48 49 |
# File 'lib/scanny/checks/access_control_check.rb', line 45 def check(node) issue :medium, "Using \"params[:id]\" requires proper authorization check.", :cwe => 285 end |
#pattern ⇒ Object
7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# File 'lib/scanny/checks/access_control_check.rb', line 7 def pattern <<-EOT SendWithArguments< name = :new | :create, arguments = ActualArguments< array = [ HashLiteral< array = [ any{odd}, SendWithArguments< receiver = Send<name = :params>, name = :[], arguments = ActualArguments<array = [SymbolLiteral<value = :id>]> >, any{even} ] > ] > > | SendWithArguments< name = :delete | :destroy, arguments = ActualArguments< array = [ any*, SendWithArguments< receiver = Send<name = :params>, name = :[], arguments = ActualArguments<array = [SymbolLiteral<value = :id>]> >, any* ] > > EOT end |