Methods

Class/Module Index [+]

Quicksearch

Brakeman::CheckForgerySetting

Checks that protect_from_forgery is set in the ApplicationController.

Also warns for CSRF weakness in certain versions of Rails: groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665

Public Instance Methods

run_check() click to toggle source
# File lib/brakeman/checks/check_forgery_setting.rb, line 12
def run_check
  app_controller = tracker.controllers[:ApplicationController]
  if tracker.config[:rails] and
    tracker.config[:rails][:action_controller] and
    tracker.config[:rails][:action_controller][:allow_forgery_protection] == Sexp.new(:false)

    warn :controller => :ApplicationController,
      :warning_type => "Cross-Site Request Forgery",
      :message => "Forgery protection is disabled", 
      :confidence => CONFIDENCE[:high]

  elsif app_controller and not app_controller[:options][:protect_from_forgery]

    warn :controller => :ApplicationController, 
      :warning_type => "Cross-Site Request Forgery", 
      :message => "'protect_from_forgery' should be called in ApplicationController", 
      :confidence => CONFIDENCE[:high]

  elsif version_between? "2.1.0", "2.3.10"
    
    warn :controller => :ApplicationController, 
      :warning_type => "Cross-Site Request Forgery",
      :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
      :confidence => CONFIDENCE[:high],
      :file => gemfile_or_environment,
      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"

  elsif version_between? "3.0.0", "3.0.3"

    warn :controller => :ApplicationController, 
      :warning_type => "Cross-Site Request Forgery",
      :message => "CSRF protection is flawed in unpatched versions of Rails #{tracker.config[:rails_version]} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
      :confidence => CONFIDENCE[:high],
      :file => gemfile_or_environment,
      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
  end
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.