Checks for session key length and http_only settings
Looks for ActionController::Base.session = { ... } in Rails 2.x apps
# File lib/brakeman/checks/check_session_settings.rb, line 33 def process_attrasgn exp if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session= check_for_issues exp.first_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb" end exp end
Looks for Rails3::Application.config.session_store :cookie_store, { ... } in Rails 3.x apps
# File lib/brakeman/checks/check_session_settings.rb, line 43 def process_call exp if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store check_for_rails3_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb" end exp end
# File lib/brakeman/checks/check_session_settings.rb, line 19 def run_check settings = tracker.config[:rails] and tracker.config[:rails][:action_controller] and tracker.config[:rails][:action_controller][:session] check_for_issues settings, "#{tracker.options[:app_path]}/config/environment.rb" if tracker.initializers["session_store.rb"] process tracker.initializers["session_store.rb"] end end
Generated with the Darkfish Rdoc Generator 2.