class Railroader::CheckRenderDoS

Public Instance Methods

run_check() click to toggle source
# File lib/railroader/checks/check_render_dos.rb, line 8
def run_check
  if version_between? "3.0.0", "3.0.20" or
     version_between? "3.1.0", "3.1.12" or
     version_between? "3.2.0", "3.2.16"

    tracker.find_call(:target => nil, :method => :render).each do |result|
      if text_render? result
        warn_about_text_render
        break
      end
    end
  end
end
text_render?(result) click to toggle source
# File lib/railroader/checks/check_render_dos.rb, line 22
def text_render? result
  node_type? result[:call], :render and
  result[:call].render_type == :text
end
warn_about_text_render() click to toggle source
# File lib/railroader/checks/check_render_dos.rb, line 27
def warn_about_text_render
  message = "Rails #{rails_version} has a denial of service vulnerability (CVE-2014-0082). Upgrade to Rails version 3.2.17"

  warn :warning_type => "Denial of Service",
    :warning_code => :CVE_2014_0082,
    :message => message,
    :confidence => :high,
    :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
    :gem_info => gemfile_or_environment
end