Class: Brakeman::CheckBasicAuth

# File 'lib/brakeman/checks/check_basic_auth.rb', line 19

def check_basic_auth_filter
  controllers = tracker.controllers.select do |name, c|
    c.options[:http_basic_authenticate_with]
  end

  Hash[controllers].each do |name, controller|
    controller.options[:http_basic_authenticate_with].each do |call|

      if pass = get_password(call) and string? pass
        warn :controller => name,
            :warning_type => "Basic Auth",
            :warning_code => :basic_auth_password,
            :message => "Basic authentication password stored in source code",
            :code => call,
            :confidence => 0,
            :file => controller.file
        break
      end
    end
  end
end

#check_basic_auth_request ⇒ `Object`

Look for

authenticate_or_request_with_http_basic do |username, password|
  username == "foo" && password == "bar"
end

# File 'lib/brakeman/checks/check_basic_auth.rb', line 45

def check_basic_auth_request
  tracker.find_call(:target => nil, :method => :authenticate_or_request_with_http_basic).each do |result|
    if include_password_literal? result
        warn :result => result,
            :code => @include_password,
            :warning_type => "Basic Auth",
            :warning_code => :basic_auth_password,
            :message => "Basic authentication password stored in source code",
            :confidence => 0
    end
  end
end

#get_password(call) ⇒ `Object`

# File 'lib/brakeman/checks/check_basic_auth.rb', line 81

def get_password call
  arg = call.first_arg

  return false if arg.nil? or not hash? arg

  hash_access(arg, :password)
end

#include_password_literal?(result) ⇒ `Boolean`

Check if the block of a result contains a comparison of password to string

Returns:

(Boolean)

# File 'lib/brakeman/checks/check_basic_auth.rb', line 59

def include_password_literal? result
  @password_var = result[:block_args].last
  @include_password = false
  process result[:block]
  @include_password
end

#process_call(exp) ⇒ `Object`

Looks for :== calls on password var

# File 'lib/brakeman/checks/check_basic_auth.rb', line 67

def process_call exp
  target = exp.target

  if node_type?(target, :lvar) and
    target.value == @password_var and
    exp.method == :== and
    string? exp.first_arg

    @include_password = exp
  end

  exp
end

#run_check ⇒ `Object`

# File 'lib/brakeman/checks/check_basic_auth.rb', line 12

def run_check
  return if version_between? "0.0.0", "3.0.99"

  check_basic_auth_filter
  check_basic_auth_request
end

Class: Brakeman::CheckBasicAuth

Overview

Constant Summary

Constants inherited from BaseCheck

Constants included from Util

Constants inherited from SexpProcessor

Instance Attribute Summary

Attributes inherited from BaseCheck

Attributes inherited from SexpProcessor

Instance Method Summary collapse

Methods inherited from BaseCheck

Methods included from Util

Methods included from ProcessorHelper

Methods inherited from SexpProcessor

Constructor Details

Instance Method Details

#check_basic_auth_filter ⇒ Object

#check_basic_auth_request ⇒ Object

#get_password(call) ⇒ Object

#include_password_literal?(result) ⇒ Boolean

#process_call(exp) ⇒ Object

#run_check ⇒ Object

#check_basic_auth_filter ⇒ `Object`

#check_basic_auth_request ⇒ `Object`

#get_password(call) ⇒ `Object`

#include_password_literal?(result) ⇒ `Boolean`

#process_call(exp) ⇒ `Object`

#run_check ⇒ `Object`