Sha256: 5f01952b2c61a454b4815948333e62b54e62d4ed8a891ae1ac296f9e92191e8a

Contents?: true

Size: 1.05 KB

Versions: 4

Compression:

Stored size: 1.05 KB

Contents

require 'brakeman/checks/base_check'

#Checks if password is stored in controller
#when using http_basic_authenticate_with
#
#Only for Rails >= 3.1
class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Checks for the use of http_basic_authenticate_with"

  def run_check
    return if version_between? "0.0.0", "3.0.99"

    controllers = tracker.controllers.select do |name, c|
      c[:options][:http_basic_authenticate_with]
    end

    Hash[controllers].each do |name, controller|
      controller[:options][:http_basic_authenticate_with].each do |call|

        if pass = get_password(call) and string? pass
          warn :controller => name,
              :warning_type => "Basic Auth", 
              :message => "Basic authentication password stored in source code",
              :code => call, 
              :confidence => 0

          break
        end
      end
    end
  end

  def get_password call
    args = call[3][1]

    return false if args.nil? or not hash? args

    hash_access(args, :password)
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version Path
brakeman-1.7.1 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.7.0 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.6.2 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.6.1 lib/brakeman/checks/check_basic_auth.rb