Class/Module Index [+]

Quicksearch

Brakeman::BaseCheck

Basis of vulnerability checks.

Constants

CONFIDENCE
Match

Attributes

tracker[R]
warnings[R]

Public Class Methods

new(app_tree, tracker) click to toggle source

Initialize Check with Checks.

# File lib/brakeman/checks/base_check.rb, line 17
def initialize(app_tree, tracker)
  super()
  @app_tree = app_tree
  @results = [] #only to check for duplicates
  @warnings = []
  @tracker = tracker
  @string_interp = false
  @current_set = nil
  @current_template = @current_module = @current_class = @current_method = nil
  @mass_assign_disabled = nil
  @safe_input_attributes = Set[:to_i, :to_f, :arel_table]
end

Public Instance Methods

add_result(result, location = nil) click to toggle source

Add result to result list, which is used to check for duplicates

# File lib/brakeman/checks/base_check.rb, line 31
def add_result result, location = nil
  location ||= (@current_template && @current_template[:name]) || @current_class || @current_module || @current_set || result[:location][1]
  location = location[:name] if location.is_a? Hash
  location = location.to_sym

  if result.is_a? Hash
    line = result[:call].original_line || result[:call].line
  elsif sexp? result
    line = result.original_line || result.line
  else
    raise ArgumentError
  end

  @results << [line, location, result]
end
process_call(exp) click to toggle source

Process calls and check if they include user input

# File lib/brakeman/checks/base_check.rb, line 62
def process_call exp
  process exp.target if sexp? exp.target
  process_call_args exp

  target = exp.target

  unless @safe_input_attributes.include? exp.method
    if params? target
      @has_user_input = Match.new(:params, exp)
    elsif cookies? target
      @has_user_input = Match.new(:cookies, exp)
    elsif request_env? target
      @has_user_input = Match.new(:request, exp)
    elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
      @has_user_input = Match.new(:model, exp)
    end
  end

  exp
end
process_cookies(exp) click to toggle source

Note that cookies are included in current expression

# File lib/brakeman/checks/base_check.rb, line 102
def process_cookies exp
  @has_user_input = Match.new(:cookies, exp)
  exp
end
process_default(exp) click to toggle source

Default Sexp processing. Iterates over each value in the Sexp and processes them if they are also Sexps.

# File lib/brakeman/checks/base_check.rb, line 49
def process_default exp
  exp.each_with_index do |e, i|
    if sexp? e
      process e
    else
      e
    end
  end

  exp
end
process_if(exp) click to toggle source
# File lib/brakeman/checks/base_check.rb, line 83
def process_if exp
  #This is to ignore user input in condition
  current_user_input = @has_user_input
  process exp.condition
  @has_user_input = current_user_input

  process exp.then_clause if sexp? exp.then_clause
  process exp.else_clause if sexp? exp.else_clause

  exp
end
process_params(exp) click to toggle source

Note that params are included in current expression

# File lib/brakeman/checks/base_check.rb, line 96
def process_params exp
  @has_user_input = Match.new(:params, exp)
  exp
end
process_string_interp(exp) click to toggle source

Does not actually process string interpolation, but notes that it occurred.

# File lib/brakeman/checks/base_check.rb, line 108
def process_string_interp exp
  @string_interp = Match.new(:interp, exp)
  process_default exp
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.