Class/Module Index [+]

Quicksearch

Brakeman::CheckSessionSettings

Checks for session key length and http_only settings

Public Class Methods

new(*args) click to toggle source
# File lib/brakeman/checks/check_session_settings.rb, line 9
def initialize *args
  super

  unless tracker.options[:rails3]
    @session_settings = Sexp.new(:colon2, Sexp.new(:const, :ActionController), :Base)
  else
    @session_settings = nil
  end
end

Public Instance Methods

process_attrasgn(exp) click to toggle source

Looks for ActionController::Base.session = { ... } in Rails 2.x apps

# File lib/brakeman/checks/check_session_settings.rb, line 33
def process_attrasgn exp
  if not tracker.options[:rails3] and exp.target == @session_settings and exp.method == :session=
    check_for_issues exp.first_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
  end
    
  exp
end
process_call(exp) click to toggle source

Looks for Rails3::Application.config.session_store :cookie_store, { ... } in Rails 3.x apps

# File lib/brakeman/checks/check_session_settings.rb, line 43
def process_call exp
  if tracker.options[:rails3] and settings_target?(exp.target) and exp.method == :session_store
    check_for_rails3_issues exp.second_arg, "#{tracker.options[:app_path]}/config/initializers/session_store.rb"
  end
    
  exp
end
run_check() click to toggle source
# File lib/brakeman/checks/check_session_settings.rb, line 19
def run_check
  settings = tracker.config[:rails] and
              tracker.config[:rails][:action_controller] and
              tracker.config[:rails][:action_controller][:session]

  check_for_issues settings, "#{tracker.options[:app_path]}/config/environment.rb"

  if tracker.initializers["session_store.rb"]
    process tracker.initializers["session_store.rb"]
  end
end

[Validate]

Generated with the Darkfish Rdoc Generator 2.