class Railroader::CheckRouteDoS

Public Instance Methods

controller_wildcards?() click to toggle source
# File lib/railroader/checks/check_route_dos.rb, line 30
def controller_wildcards?
  tracker.routes.each do |name, actions|
    if name == :':controllerController'
      # awful hack for routes with :controller in them
      return true
    elsif string? actions and actions.value.include? ":controller"
      return true
    end
  end

  false
end
run_check() click to toggle source
# File lib/railroader/checks/check_route_dos.rb, line 8
def run_check
  fix_version = case
                when version_between?("4.0.0", "4.1.14")
                  "4.1.14.1"
                when version_between?("4.2.0", "4.2.5")
                  "4.2.5.1"
                else
                  return
                end

  if controller_wildcards?
    message = "Rails #{rails_version} has a denial of service vulnerability with :controller routes (CVE-2015-7581). Upgrade to Rails #{fix_version}"

    warn :warning_type => "Denial of Service",
      :warning_code => :CVE_2015_7581,
      :message => message,
      :confidence => :medium,
      :gem_info => gemfile_or_environment,
      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/dthJ5wL69JE/YzPnFelbFQAJ"
  end
end