Class: Spektr::Checks::CsrfSetting
- Defined in:
- lib/spektr/checks/csrf_setting.rb
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
-
#initialize(app, target) ⇒ CsrfSetting
constructor
A new instance of CsrfSetting.
- #run ⇒ Object
Methods inherited from Base
#app_version_between?, #dupe?, #model_attribute?, #should_run?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!
Constructor Details
#initialize(app, target) ⇒ CsrfSetting
Returns a new instance of CsrfSetting.
4 5 6 7 8 9 |
# File 'lib/spektr/checks/csrf_setting.rb', line 4 def initialize(app, target) super @name = 'Cross-Site Request Forgery' @type = 'Cross-Site Request Forgery' @targets = ['Spektr::Targets::Controller'] end |
Instance Method Details
#run ⇒ Object
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
# File 'lib/spektr/checks/csrf_setting.rb', line 11 def run return unless super return if @target.concern? enabled = false target = @target while target parent_controller = target.find_parent(@app.controllers) enabled = parent_controller && parent_controller.find_calls(:protect_from_forgery).any? break if enabled || parent_controller.nil? target = parent_controller end return if enabled && @target.find_calls(:skip_forgery_protection).none? if @target.find_calls(:protect_from_forgery).none? || (enabled && @target.find_calls(:skip_forgery_protection).any?) skip = @target.find_calls(:skip_forgery_protection).last return if enabled && skip && skip..keys.intersection(%i[only except]).any? warn! @target, self, nil, 'protect_from_forgery should be enabled' end if @target.find_calls(:skip_forgery_protection).any? return @target.find_calls(:skip_forgery_protection).last..keys.intersection(%i[only except]).any? warn! @target, self, nil, 'protect_from_forgery should be enabled' end end |