Sha256: 2116543f54b41fee98f301112574ec69513bb33633d3973ec97c0980ec26c0ab
Contents?: true
Size: 1.68 KB
Versions: 6
Compression:
Stored size: 1.68 KB
Contents
require 'brakeman/checks/base_check'
#https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
class Brakeman::CheckNestedAttributesBypass < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Checks for nested attributes vulnerability (CVE-2015-7577)"
def run_check
if version_between? "3.1.0", "3.2.22" or
version_between? "4.0.0", "4.1.14" or
version_between? "4.2.0", "4.2.5"
unless workaround?
check_nested_attributes
end
end
end
def check_nested_attributes
active_record_models.each do |name, model|
if opts = model.options[:accepts_nested_attributes_for]
opts.each do |args|
if args.any? { |a| allow_destroy? a } and args.any? { |a| reject_if? a }
warn_about_nested_attributes name, model, args
end
end
end
end
end
def warn_about_nested_attributes name, model, args
message = msg(msg_version(rails_version), " does not call ", msg_code(":reject_if"), " option when ", msg_code(":allow_destroy"), " is ", msg_code("false"), " ", msg_cve("CVE-2015-7577"))
warn :model => name,
:warning_type => "Nested Attributes",
:warning_code => :CVE_2015_7577,
:message => message,
:file => model.file,
:line => args.line,
:confidence => :medium,
:link_path => "https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ"
end
def allow_destroy? arg
hash? arg and
false? hash_access(arg, :allow_destroy)
end
def reject_if? arg
hash? arg and
hash_access(arg, :reject_if)
end
def workaround?
tracker.check_initializers([], :will_be_destroyed?).any?
end
end
Version data entries
6 entries across 6 versions & 3 rubygems