class Brakeman::CheckRenderDoS

Public Instance Methods

run_check() click to toggle source
# File lib/brakeman/checks/check_render_dos.rb, line 8
def run_check
  if version_between? "3.0.0", "3.0.20" or
     version_between? "3.1.0", "3.1.12" or
     version_between? "3.2.0", "3.2.16"

    tracker.find_call(:target => nil, :method => :render).each do |result|
      if text_render? result
        warn_about_text_render
        break
      end
    end
  end
end
text_render?(result) click to toggle source
# File lib/brakeman/checks/check_render_dos.rb, line 22
def text_render? result
  node_type? result[:call], :render and
  result[:call].render_type == :text
end
warn_about_text_render() click to toggle source
# File lib/brakeman/checks/check_render_dos.rb, line 27
def warn_about_text_render
  message = msg(msg_version(rails_version), " has a denial of service vulnerability ", msg_cve("CVE-2014-0082"), ". Upgrade to ", msg_version("3.2.17"))

  warn :warning_type => "Denial of Service",
    :warning_code => :CVE_2014_0082,
    :message => message,
    :confidence => :high,
    :link_path => "https://groups.google.com/d/msg/rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ",
    :gem_info => gemfile_or_environment
end