class Railroader::CheckDetailedExceptions

Check for detailed exceptions enabled for production

Constants

LOCAL_REQUEST

Public Instance Methods

check_detailed_exceptions() click to toggle source
# File lib/railroader/checks/check_detailed_exceptions.rb, line 26
def check_detailed_exceptions
  tracker.controllers.each do |_name, controller|
    controller.methods_public.each do |method_name, definition|
      src = definition[:src]
      body = src.body.last
      next unless body

      if method_name == :show_detailed_exceptions? and not safe? body
        if true? body
          confidence = :high
        else
          confidence = :medium
        end

        warn :warning_type => "Information Disclosure",
             :warning_code => :detailed_exceptions,
             :message => "Detailed exceptions may be enabled in 'show_detailed_exceptions?'",
             :confidence => confidence,
             :code => src,
             :file => definition[:file]
      end
    end
  end
end
check_local_request_config() click to toggle source
# File lib/railroader/checks/check_detailed_exceptions.rb, line 16
def check_local_request_config
  if true? tracker.config.rails[:consider_all_requests_local]
    warn :warning_type => "Information Disclosure",
         :warning_code => :local_request_config,
         :message => "Detailed exceptions are enabled in production",
         :confidence => :high,
         :file => "config/environments/production.rb"
  end
end
run_check() click to toggle source
# File lib/railroader/checks/check_detailed_exceptions.rb, line 11
def run_check
  check_local_request_config
  check_detailed_exceptions
end
safe?(body) click to toggle source
# File lib/railroader/checks/check_detailed_exceptions.rb, line 51
def safe? body
  false? body or
  body == LOCAL_REQUEST
end