Sha256: ff9c2fb06d78a30358bf59a0f8450bb4d46aee515e8c807170101f91202579d2

Contents?: true

Size: 929 Bytes

Versions: 4

Compression:

Stored size: 929 Bytes

Contents

require 'checks/base_check'

#Checks that +protect_from_forgery+ is set in the ApplicationController
class CheckForgerySetting < BaseCheck
  Checks.add self

  def run_check
    app_controller = tracker.controllers[:ApplicationController]
    if tracker.config[:rails][:action_controller] and
      tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)

      warn :controller => :ApplicationController,
        :warning_type => "Cross Site Request Forgery",
        :message => "Forgery protection is disabled", 
        :confidence => CONFIDENCE[:high]

    elsif app_controller and not app_controller[:options][:protect_from_forgery]

      warn :controller => :ApplicationController, 
        :warning_type => "Cross-Site Request Forgery", 
        :message => "'protect_from_forgery' should be called in ApplicationController", 
        :confidence => CONFIDENCE[:high]
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version Path
brakeman-0.1.1 lib/checks/check_forgery_setting.rb
brakeman-0.1.0 lib/checks/check_forgery_setting.rb
brakeman-0.0.3 lib/checks/check_forgery_setting.rb
brakeman-0.0.2 lib/checks/check_forgery_setting.rb