Class: Spektr::Checks::FilterSkipping

Inherits:
Base
  • Object
show all
Defined in:
lib/spektr/checks/filter_skipping.rb

Instance Attribute Summary

Attributes inherited from Base

#name

Instance Method Summary collapse

Methods inherited from Base

#app_version_between?, #dupe?, #model_attribute?, #target_affected?, #user_input?, #version_affected, #version_between?, #warn!

Constructor Details

#initialize(app, target) ⇒ FilterSkipping

Returns a new instance of FilterSkipping.



4
5
6
7
8
9
# File 'lib/spektr/checks/filter_skipping.rb', line 4

def initialize(app, target)
  super
  @name = "Default routes filter skipping"
  @type = "Default Routes"
  @targets = ["Spektr::Targets::Routes"]
end

Instance Method Details

#runObject



11
12
13
14
15
16
17
18
19
20
21
22
# File 'lib/spektr/checks/filter_skipping.rb', line 11

def run
  return unless super
  calls = %w{ match get post put delete }.inject([]) do |memo, method|
    memo.concat @target.find_calls(method.to_sym)
    memo
  end
  calls.each do |call|
    if !call.arguments.empty? && (call.arguments.first.name.include?(":action") or call.arguments.first.name.include?("*action"))
      warn! @target, self, call.location, "CVE-2011-2929 Rails versions before 3.0.10 have a vulnerability which allows filters to be bypassed"
    end
  end
end

#should_run?Boolean

Returns:

  • (Boolean)


24
25
26
# File 'lib/spektr/checks/filter_skipping.rb', line 24

def should_run?
  app_version_between?("3.0.0", "3.0.9")
end