class Railroader::CheckFilterSkipping
Check for filter skipping vulnerability groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
Public Instance Methods
run_check()
click to toggle source
# File lib/railroader/checks/check_filter_skipping.rb, line 10 def run_check if version_between?('3.0.0', '3.0.9') and uses_arbitrary_actions? warn :warning_type => "Default Routes", :warning_code => :CVE_2011_2929, :message => "Versions before 3.0.10 have a vulnerability which allows filters to be bypassed: CVE-2011-2929", :confidence => :high, :gem_info => gemfile_or_environment, :link_path => "https://groups.google.com/d/topic/rubyonrails-security/NCCsca7TEtY/discussion" end end
uses_arbitrary_actions?()
click to toggle source
# File lib/railroader/checks/check_filter_skipping.rb, line 22 def uses_arbitrary_actions? tracker.routes.each do |_name, actions| if actions.include? :allow_all_actions return true end end false end