Class: Scanny::Checks::AccessControlCheck

Inherits:

Check

• Object
• Check
• Scanny::Checks::AccessControlCheck

Defined in:

lib/scanny/checks/access_control_check.rb

Overview

Checks for use of “params” in parameters of certain methods that requires authorizaton checks.

Instance Method Summary

• #check(node) ⇒ Object
• #pattern ⇒ Object

  User.new(params).

Methods inherited from Check

#compiled_pattern, #issue, #strict?, #visit

Instance Method Details

#check(node) ⇒ Object

# File 'lib/scanny/checks/access_control_check.rb', line 45

def check(node)
  issue :medium,
    "Using \"params[:id]\" requires proper authorization check.",
    :cwe => 285
end

#pattern ⇒ Object

User.new(params)

# File 'lib/scanny/checks/access_control_check.rb', line 7

def pattern
  "    SendWithArguments<\n      name      = :new | :create,\n      arguments = ActualArguments<\n        array = [\n          HashLiteral<\n            array = [\n              any{odd},\n              SendWithArguments<\n                receiver  = Send<name = :params>,\n                name      = :[],\n                arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>\n              >,\n              any{even}\n            ]\n          >\n        ]\n      >\n    >\n    |\n    SendWithArguments<\n      name      = :delete | :destroy,\n      arguments = ActualArguments<\n        array = [\n          any*,\n          SendWithArguments<\n            receiver  = Send<name = :params>,\n            name      = :[],\n            arguments = ActualArguments<array = [SymbolLiteral<value = :id>]>\n          >,\n          any*\n        ]\n      >\n    >\n  EOT\nend\n"