Class/Module Index [+]

Quicksearch

Brakeman::CheckBasicAuth

Checks if password is stored in controller when using http_basic_authenticate_with

Only for Rails >= 3.1

Public Instance Methods

get_password(call) click to toggle source
# File lib/brakeman/checks/check_basic_auth.rb, line 35
def get_password call
  arg = call.first_arg

  return false if arg.nil? or not hash? arg

  hash_access(arg, :password)
end
run_check() click to toggle source
# File lib/brakeman/checks/check_basic_auth.rb, line 12
def run_check
  return if version_between? "0.0.0", "3.0.99"

  controllers = tracker.controllers.select do |name, c|
    c[:options][:http_basic_authenticate_with]
  end

  Hash[controllers].each do |name, controller|
    controller[:options][:http_basic_authenticate_with].each do |call|

      if pass = get_password(call) and string? pass
        warn :controller => name,
            :warning_type => "Basic Auth", 
            :message => "Basic authentication password stored in source code",
            :code => call, 
            :confidence => 0

        break
      end
    end
  end
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.