Sha256: 63a298160063f7c0f7362c5430e3284dc2ead023ea635a6e5b3d6fec2bc49928

Contents?: true

Size: 1.05 KB

Versions: 9

Compression:

Stored size: 1.05 KB

Contents

require 'brakeman/checks/base_check'

#Checks if password is stored in controller
#when using http_basic_authenticate_with
#
#Only for Rails >= 3.1
class Brakeman::CheckBasicAuth < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Checks for the use of http_basic_authenticate_with"

  def run_check
    return if version_between? "0.0.0", "3.0.99"

    controllers = tracker.controllers.select do |name, c|
      c[:options][:http_basic_authenticate_with]
    end

    Hash[controllers].each do |name, controller|
      controller[:options][:http_basic_authenticate_with].each do |call|

        if pass = get_password(call) and string? pass
          warn :controller => name,
              :warning_type => "Basic Auth", 
              :message => "Basic authentication password stored in source code",
              :code => call, 
              :confidence => 0

          break
        end
      end
    end
  end

  def get_password call
    arg = call.first_arg

    return false if arg.nil? or not hash? arg

    hash_access(arg, :password)
  end
end

Version data entries

9 entries across 9 versions & 1 rubygems

Version Path
brakeman-1.9.2 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.9.1 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.9.0 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.9.0.pre2 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.9.0.pre1 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.8.3 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.8.2 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.8.1 lib/brakeman/checks/check_basic_auth.rb
brakeman-1.8.0 lib/brakeman/checks/check_basic_auth.rb