Sha256: a9b4b6e9b993c0257f727a4ae1c40307cd2b63127fda1cab06b8bbd1d900ad61
Contents?: true
Size: 1.86 KB
Versions: 4
Compression:
Stored size: 1.86 KB
Contents
require 'checks/base_check'
#Checks that +protect_from_forgery+ is set in the ApplicationController.
#
#Also warns for CSRF weakness in certain versions of Rails:
#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
class CheckForgerySetting < BaseCheck
Checks.add self
def run_check
app_controller = tracker.controllers[:ApplicationController]
if tracker.config[:rails][:action_controller] and
tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)
warn :controller => :ApplicationController,
:warning_type => "Cross Site Request Forgery",
:message => "Forgery protection is disabled",
:confidence => CONFIDENCE[:high]
elsif app_controller and not app_controller[:options][:protect_from_forgery]
warn :controller => :ApplicationController,
:warning_type => "Cross-Site Request Forgery",
:message => "'protect_from_forgery' should be called in ApplicationController",
:confidence => CONFIDENCE[:high]
elsif version_between? "2.1.0", "2.3.10"
warn :controller => :ApplicationController,
:warning_type => "Cross-Site Request Forgery",
:message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
:confidence => CONFIDENCE[:high],
:file => gemfile_or_environment
elsif version_between? "3.0.0", "3.0.3"
warn :controller => :ApplicationController,
:warning_type => "Cross-Site Request Forgery",
:message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
:confidence => CONFIDENCE[:high],
:file => gemfile_or_environment
end
end
end
Version data entries
4 entries across 4 versions & 1 rubygems