Class: Spektr::Checks::FilterSkipping
- Defined in:
- lib/spektr/checks/filter_skipping.rb
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
-
#initialize(app, target) ⇒ FilterSkipping
constructor
A new instance of FilterSkipping.
- #run ⇒ Object
- #should_run? ⇒ Boolean
Methods inherited from Base
#app_version_between?, #dupe?, #model_attribute?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!
Constructor Details
#initialize(app, target) ⇒ FilterSkipping
Returns a new instance of FilterSkipping.
4 5 6 7 8 9 |
# File 'lib/spektr/checks/filter_skipping.rb', line 4 def initialize(app, target) super @name = "Default routes filter skipping" @type = "Default Routes" @targets = ["Spektr::Targets::Routes"] end |
Instance Method Details
#run ⇒ Object
11 12 13 14 15 16 17 18 19 20 21 22 |
# File 'lib/spektr/checks/filter_skipping.rb', line 11 def run return unless super calls = %w{ match get post put delete }.inject([]) do |memo, method| memo.concat @target.find_calls(method.to_sym) memo end calls.each do |call| if !call.arguments.empty? && (call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action")) warn! @target, self, call.location, "CVE-2011-2929 Rails versions before 3.0.10 have a vulnerability which allows filters to be bypassed" end end end |
#should_run? ⇒ Boolean
24 25 26 |
# File 'lib/spektr/checks/filter_skipping.rb', line 24 def should_run? app_version_between?("3.0.0", "3.0.9") end |