class Railroader::CheckMimeTypeDoS
Public Instance Methods
has_workaround?()
click to toggle source
# File lib/railroader/checks/check_mime_type_dos.rb, line 32 def has_workaround? tracker.check_initializers(:Mime, :const_set).any? do |match| arg = match.call.first_arg symbol? arg and arg.value == :LOOKUP end end
run_check()
click to toggle source
# File lib/railroader/checks/check_mime_type_dos.rb, line 8 def run_check fix_version = case when version_between?("3.0.0", "3.2.22") "3.2.22.1" when version_between?("4.0.0", "4.1.14") "4.1.14.1" when version_between?("4.2.0", "4.2.5") "4.2.5.1" else return end return if has_workaround? message = "Rails #{rails_version} is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version #{fix_version}" warn :warning_type => "Denial of Service", :warning_code => :CVE_2016_0751, :message => message, :confidence => :medium, :gem_info => gemfile_or_environment, :link_path => "https://groups.google.com/d/msg/rubyonrails-security/9oLY_FCzvoc/w9oI9XxbFQAJ" end