Class: Spektr::Checks::CsrfSetting

Inherits:
Base
  • Object
show all
Defined in:
lib/spektr/checks/csrf_setting.rb

Instance Attribute Summary

Attributes inherited from Base

#name

Instance Method Summary collapse

Methods inherited from Base

#app_version_between?, #dupe?, #model_attribute?, #should_run?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!

Constructor Details

#initialize(app, target) ⇒ CsrfSetting

Returns a new instance of CsrfSetting.



4
5
6
7
8
9
# File 'lib/spektr/checks/csrf_setting.rb', line 4

def initialize(app, target)
  super
  @name = 'Cross-Site Request Forgery'
  @type = 'Cross-Site Request Forgery'
  @targets = ['Spektr::Targets::Controller']
end

Instance Method Details

#runObject



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# File 'lib/spektr/checks/csrf_setting.rb', line 11

def run
  return unless super
  return if @target.concern?

  enabled = false
  target = @target
  while target
    parent_controller = target.find_parent(@app.controllers)
    enabled = parent_controller && parent_controller.find_calls(:protect_from_forgery).any?
    break if enabled || parent_controller.nil?

    target = parent_controller
  end
  return if enabled && @target.find_calls(:skip_forgery_protection).none?

  if @target.find_calls(:protect_from_forgery).none? || (enabled && @target.find_calls(:skip_forgery_protection).any?)
    skip = @target.find_calls(:skip_forgery_protection).last
    return if enabled && skip && skip.options.keys.intersection(%i[only except]).any?

    warn! @target, self, nil, 'protect_from_forgery should be enabled'
  end
  if @target.find_calls(:skip_forgery_protection).any?
    return @target.find_calls(:skip_forgery_protection).last.options.keys.intersection(%i[only except]).any?
    warn! @target, self, nil, 'protect_from_forgery should be enabled'
  end
end