Class: Scanny::Checks::AccessControlCheck

Inherits:

Check

• Object
• Check
• Scanny::Checks::AccessControlCheck

Defined in:

lib/scanny/checks/access_control_check.rb

Overview

Checks for use of “params” in parameters of certain methods that requires authorizaton checks.

Instance Method Summary

• #check(node) ⇒ Object
• #pattern ⇒ Object

  User.new(params).

Methods inherited from Check

#compiled_pattern, #issue, #strict?, #visit

Instance Method Details

#check(node) ⇒ Object

# File 'lib/scanny/checks/access_control_check.rb', line 45

def check(node)
  issue :medium,
    "Using \"params[:id]\" requires proper authorization check.",
    :cwe => 285
end

#pattern ⇒ Object

User.new(params)

# File 'lib/scanny/checks/access_control_check.rb', line 7

def pattern
  <<-EOT
    SendWithArguments<
      name      = :new | :create,
      arguments = ActualArguments<
        array = [
          HashLiteral<
            array = [
              any{odd},
              SendWithArguments<
                receiver  = Send<name = :params>,
                name      = :[],
                arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>
              >,
              any{even}
            ]
          >
        ]
      >
    >
    |
    SendWithArguments<
      name      = :delete | :destroy,
      arguments = ActualArguments<
        array = [
          any*,
          SendWithArguments<
            receiver  = Send<name = :params>,
            name      = :[],
            arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>
          >,
          any*
        ]
      >
    >
  EOT
end