Sha256: 103adf0af4662d261f7ada444e917e8469abce11cfd1e7056c86b2c4ff4843a5

Contents?: true

Size: 1.14 KB

Versions: 2

Compression:

Stored size: 1.14 KB

Contents

require 'brakeman/checks/base_check'

#Checks if password is stored in controller
#when using http_basic_authenticate_with
#
#Only for Rails >= 3.1
class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Checks for the use of http_basic_authenticate_with"

  def run_check
    return if version_between? "0.0.0", "3.0.99"

    controllers = tracker.controllers.select do |name, c|
      c[:options][:http_basic_authenticate_with]
    end

    Hash[controllers].each do |name, controller|
      controller[:options][:http_basic_authenticate_with].each do |call|

        if pass = get_password(call) and string? pass
          warn :controller => name,
              :warning_type => "Basic Auth", 
              :warning_code => :basic_auth_password,
              :message => "Basic authentication password stored in source code",
              :code => call, 
              :confidence => 0,
              :file => controller[:file]

          break
        end
      end
    end
  end

  def get_password call
    arg = call.first_arg

    return false if arg.nil? or not hash? arg

    hash_access(arg, :password)
  end
end

Version data entries

2 entries across 2 versions & 1 rubygems

Version Path
brakeman-2.0.0 lib/brakeman/checks/check_basic_auth.rb
brakeman-2.0.0.pre2 lib/brakeman/checks/check_basic_auth.rb