Sha256: b752805734279d8d148af8a9c90421d6f9ef1d7c54daa83ba7215dea5749b617

Contents?: true

Size: 969 Bytes

Versions: 5

Compression:

Stored size: 969 Bytes

Contents

# frozen_string_literal: true

module RuboCop
  module Cop
    module GitlabSecurity
      # Checks for disabling the deep munge security control.
      #
      # Disabling this security setting can leave the application open to unsafe
      # query generation
      #
      # @example
      #
      #   # bad
      #   config.action_dispatch.perform_deep_munge = false
      #
      # See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
      class DeepMunge < RuboCop::Cop::Base
        MSG = 'Never disable the deep munge security option.'

        # @!method disable_deep_munge?(node)
        def_node_matcher :disable_deep_munge?, <<-PATTERN
          (send
            (send (send nil? :config) :action_dispatch) :perform_deep_munge=
              { (false) (send true :!) }
          )
        PATTERN

        def on_send(node)
          return unless disable_deep_munge?(node)

          add_offense(node.loc.selector)
        end
      end
    end
  end
end

Version data entries

5 entries across 5 versions & 1 rubygems

Version Path
gitlab-styles-13.0.1 lib/rubocop/cop/gitlab_security/deep_munge.rb
gitlab-styles-13.0.0 lib/rubocop/cop/gitlab_security/deep_munge.rb
gitlab-styles-11.0.0 lib/rubocop/cop/gitlab_security/deep_munge.rb
gitlab-styles-10.1.0 lib/rubocop/cop/gitlab_security/deep_munge.rb
gitlab-styles-10.0.0 lib/rubocop/cop/gitlab_security/deep_munge.rb