Class: LintFu::Rails::UnsafeFindChecker
- Defined in:
- lib/lint_fu/rails/unsafe_find_checker.rb
Overview
Visit a Rails controller looking for ActiveRecord finders being called in a way that might allow an attacker to perform unauthorized operations on resources, e.g. creating, updating or deleting someone else’s records.
Constant Summary collapse
- FINDER_REGEXP =
/^(find|first|all)(_or_initialize)?(_by_.*_id)?/
Instance Attribute Summary
Attributes inherited from Checker
Instance Method Summary collapse
-
#observe_call(sexp) ⇒ Object
- sexp
-
s(:call, <target>, <method_name>, s(:arglist)).
-
#observe_class_begin(sexp) ⇒ Object
- sexp
-
s(:class, <class_name>, <superclass>, s(:scope, <class_definition>)).
-
#observe_class_end(sexp) ⇒ Object
- sexp
-
s(:class, <class_name>, <superclass>, s(:scope, <class_definition>)).
Methods inherited from Checker
Constructor Details
This class inherits a constructor from LintFu::Checker
Instance Method Details
#observe_call(sexp) ⇒ Object
- sexp
-
s(:call, <target>, <method_name>, s(:arglist))
73 74 75 |
# File 'lib/lint_fu/rails/unsafe_find_checker.rb', line 73 def observe_call(sexp) check_suspicious_finder(sexp) end |
#observe_class_begin(sexp) ⇒ Object
- sexp
-
s(:class, <class_name>, <superclass>, s(:scope, <class_definition>))
62 63 64 65 |
# File 'lib/lint_fu/rails/unsafe_find_checker.rb', line 62 def observe_class_begin(sexp) #TODO get rid of RightScale-specific assumption @in_admin_controller = !!(sexp[1].to_ruby_string =~ /^Admin/) end |
#observe_class_end(sexp) ⇒ Object
- sexp
-
s(:class, <class_name>, <superclass>, s(:scope, <class_definition>))
68 69 70 |
# File 'lib/lint_fu/rails/unsafe_find_checker.rb', line 68 def observe_class_end(sexp) @in_admin_controller = false end |