Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
12ed187a
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
12ed187a
编写于
4月 13, 2015
作者:
N
Neil Matatall
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Warn unless a rails 4 app protect[s]_from_forgery with :exception
上级
cacc248d
变更
4
隐藏空白更改
内联
并排
Showing
4 changed file
with
23 addition
and
2 deletion
+23
-2
lib/brakeman/checks/check_forgery_setting.rb
lib/brakeman/checks/check_forgery_setting.rb
+11
-0
lib/brakeman/warning_codes.rb
lib/brakeman/warning_codes.rb
+1
-0
test/apps/rails4_with_engines/app/controllers/application_controller.rb
...s4_with_engines/app/controllers/application_controller.rb
+1
-1
test/tests/rails4_with_engines.rb
test/tests/rails4_with_engines.rb
+10
-1
未找到文件。
lib/brakeman/checks/check_forgery_setting.rb
浏览文件 @
12ed187a
...
...
@@ -52,6 +52,17 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
:confidence
=>
CONFIDENCE
[
:high
],
:gem_info
=>
gemfile_or_environment
,
:link_path
=>
"https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
elsif
version_between?
"4.0.0"
,
"100.0.0"
and
forgery_opts
=
app_controller
[
:options
][
:protect_from_forgery
]
unless
forgery_opts
.
is_a?
(
Array
)
and
sexp?
(
forgery_opts
.
first
)
and
hash_access
(
forgery_opts
.
first
.
first_arg
,
:with
).
value
==
:exception
warn
:controller
=>
:ApplicationController
,
:warning_type
=>
"Cross-Site Request Forgery"
,
:warning_code
=>
:csrf_not_protected_by_raising_exception
,
:message
=>
"protect_from_forgery should be configured with 'with: :exception'"
,
:confidence
=>
CONFIDENCE
[
:med
],
:file
=>
app_controller
[
:files
].
first
,
:link_path
=>
"blog post link?"
end
end
end
end
lib/brakeman/warning_codes.rb
浏览文件 @
12ed187a
...
...
@@ -87,6 +87,7 @@ module Brakeman::WarningCodes
:CVE_2011_2932
=>
83
,
:cross_site_scripting_inline
=>
84
,
:CVE_2014_7829
=>
85
,
:csrf_not_protected_by_raising_exception
=>
86
,
}
def
self
.
code
name
...
...
test/apps/rails4_with_engines/app/controllers/application_controller.rb
浏览文件 @
12ed187a
class
ApplicationController
<
ActionController
::
Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery
with: :exception
protect_from_forgery
end
test/tests/rails4_with_engines.rb
浏览文件 @
12ed187a
...
...
@@ -8,7 +8,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def
expected
@expected
||=
{
:controller
=>
0
,
:controller
=>
1
,
:model
=>
5
,
:template
=>
11
,
:generic
=>
8
}
...
...
@@ -276,4 +276,13 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
:relative_path
=>
"engines/user_removal/app/models/user.rb"
end
def
test_csrf_without_exception
assert_warning
:type
=>
:controller
,
:warning_code
=>
86
,
:fingerprint
=>
"4d109bd02e4ccb3ea4c51485c947be435ee006a61af7d2cd37d1b358c7469189"
,
:warning_type
=>
"Cross-Site Request Forgery"
,
:message
=>
"protect_from_forgery should be configured with 'with: :exception'"
,
:confidence
=>
1
,
:relative_path
=>
"app/controllers/application_controller.rb"
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录