Class: Spektr::Checks::CreateWith

Inherits:
Base
  • Object
show all
Defined in:
lib/spektr/checks/create_with.rb

Instance Attribute Summary

Attributes inherited from Base

#name

Instance Method Summary collapse

Methods inherited from Base

#app_version_between?, #dupe?, #model_attribute?, #should_run?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!

Constructor Details

#initialize(app, target) ⇒ CreateWith

Returns a new instance of CreateWith.



4
5
6
7
8
9
 
# File 'lib/spektr/checks/create_with.rb', line 4

def initialize(app, target)
  super
  @name = "Strong parameter bypass (CVE-2014-3514)"
  @type = "Input validation"
  @targets = ["Spektr::Targets::Base", "Spektr::Targets::Controller", "Spektr::Targets::Routes", "Spektr::Targets::View"]
end

Instance Method Details

#runObject 



11
12
13
14
15
16
17
18
19
20
21
22
23
24
 
# File 'lib/spektr/checks/create_with.rb', line 11

def run
  return unless super
  if app_version_between?("4.0.0", "4.0.8") || app_version_between?("4.1.0", "4.1.5")
    calls = @target.find_calls(:create_with)
    calls.each do |call|
      call.arguments.each do |argument|
        if user_input?(argument.type, argument.name, argument.ast)
          next if argument.ast.children[1] == :permit
          warn! @target, self, call.location, "create_with is vulnerable to strong params bypass"
        end
      end
    end
  end
end