Sha256: 61c1c094f7ab3c4fd543e51940e0e9f0fd9f80bf3fd7dfb27a8886ebd1cdb548

Contents?: true

Size: 915 Bytes

Versions: 4

Compression:

Stored size: 915 Bytes

Contents

require 'railroader/checks/base_check'

class Railroader::CheckSessionManipulation < Railroader::BaseCheck
  Railroader::Checks.add self

  @description = "Check for user input in session keys"

  def run_check
    tracker.find_call(:method => :[]=, :target => :session).each do |result|
      process_result result
    end
  end

  def process_result result
    return unless original? result

    index = result[:call].first_arg

    if input = has_immediate_user_input?(index)
      if params? index
        confidence = :high
      else
        confidence = :medium
      end

      warn :result => result,
        :warning_type => "Session Manipulation",
        :warning_code => :session_key_manipulation,
        :message => "#{friendly_type_of(input).capitalize} used as key in session hash",
        :code => result[:call],
        :user_input => input,
        :confidence => confidence
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version Path
railroader-4.3.8 lib/railroader/checks/check_session_manipulation.rb
railroader-4.3.7 lib/railroader/checks/check_session_manipulation.rb
railroader-4.3.5 lib/railroader/checks/check_session_manipulation.rb
railroader-4.3.4 lib/railroader/checks/check_session_manipulation.rb