Fix session settings detection for Rails 3

and add line number reporting for session setting warnings

Fix session settings detection for Rails 3
and add line number reporting for session setting warnings
a394ec86 · Justin Collins · 01303576 · a394ec86 · a394ec86
隐藏空白更改
内联并排

Showing with 32 addition and 10 deletion

CHANGES CHANGES +1 -0

lib/checks/check_session_settings.rb lib/checks/check_session_settings.rb +31 -10

未找到文件。
--- a/CHANGES
+++ b/CHANGES
  * Check initializer for session settings
+  * Add line numbers to session setting warnings
  * Add --checks option to list checks

 ## 0.4.1

--- a/lib/checks/check_session_settings.rb
+++ b/lib/checks/check_session_settings.rb
 require 'checks/base_check'

+#Checks for session key length and http_only settings
 class CheckSessionSettings < BaseCheck
  Checks.add self

-  SessionSettings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
+  if OPTIONS[:rails3]
+    SessionSettings = Sexp.new(:call, Sexp.new(:colon2, Sexp.new(:const, :Rails3), :Application), :config, Sexp.new(:arglist))
+  else
+    SessionSettings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
+  end

  def run_check
    settings = tracker.config[:rails] and
                tracker.config[:rails][:action_controller] and
                tracker.config[:rails][:action_controller][:session]

-    check_for_issues settings
+    check_for_issues settings, "#{OPTIONS[:app_path]}/config/environment.rb"

    if tracker.initializers["session_store.rb"]
      process tracker.initializers["session_store.rb"]
    end
  end

+  #Looks for ActionController::Base.session = { ... }
+  #in Rails 2.x apps
  def process_attrasgn exp
-    if exp[1] == SessionSettings and exp[2] == :session= and
-      hash? exp[3][1] 
-
-      check_for_issues exp[3][1]
+    if not OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session=
+      check_for_issues exp[3][1], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
+      exp
+    else
+      super
    end
+  end

-    exp
+  #Looks for Rails3::Application.config.session_store :cookie_store, { ... }
+  #in Rails 3.x apps
+  def process_call exp
+    if OPTIONS[:rails3] and exp[1] == SessionSettings and exp[2] == :session_store
+        check_for_issues exp[3][2], "#{OPTIONS[:app_path]}/config/initializers/session_store.rb"
+      exp
+    else
+      super
+    end
  end

  private

-  def check_for_issues settings
+  def check_for_issues settings, file
    if settings and hash? settings
      hash_iterate settings do |key, value|
        if symbol? key
@@ -40,7 +57,9 @@ class CheckSessionSettings < BaseCheck

            warn :warning_type => "Session Setting",
              :message => "Session cookies should be set to HTTP only",
-              :confidence => CONFIDENCE[:high]
+              :confidence => CONFIDENCE[:high],
+              :line => key.line,
+              :file => file

          elsif key[1] == :secret and 
            string? value and
@@ -48,7 +67,9 @@ class CheckSessionSettings < BaseCheck

            warn :warning_type => "Session Setting",
              :message => "Session secret should be at least 30 characters long",
-              :confidence => CONFIDENCE[:high]
+              :confidence => CONFIDENCE[:high],
+              :line => key.line,
+              :file => file

          end
        end