class Railroader::CheckBasicAuthTimingAttack

Public Instance Methods

check_basic_auth_call() click to toggle source
# File lib/railroader/checks/check_basic_auth_timing_attack.rb, line 23
def check_basic_auth_call
  tracker.find_call(target: nil, method: :http_basic_authenticate_with).each do |result|
    warn :result => result,
      :warning_type => "Timing Attack",
      :warning_code => :CVE_2015_7576,
      :message => "Basic authentication in Rails #{rails_version} is vulnerable to timing attacks. Upgrade to #@upgrade",
      :confidence => :high,
      :link => "https://groups.google.com/d/msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"
  end
end
run_check() click to toggle source
# File lib/railroader/checks/check_basic_auth_timing_attack.rb, line 8
def run_check
  @upgrade = case
             when version_between?("0.0.0", "3.2.22")
               "3.2.22.1"
             when version_between?("4.0.0", "4.1.14")
               "4.1.14.1"
             when version_between?("4.2.0", "4.2.5")
               "4.2.5.1"
             else
               return
             end

  check_basic_auth_call
end