class Brakeman::CheckSessionManipulation

Public Instance Methods

process_result(result) click to toggle source
# File lib/brakeman/checks/check_session_manipulation.rb, line 14
def process_result result
  return unless original? result

  index = result[:call].first_arg

  if input = has_immediate_user_input?(index)
    if params? index
      confidence = :high
    else
      confidence = :medium
    end

    warn :result => result,
      :warning_type => "Session Manipulation",
      :warning_code => :session_key_manipulation,
      :message => msg(msg_input(input), " used as key in session hash"),
      :user_input => input,
      :confidence => confidence
  end
end
run_check() click to toggle source
# File lib/brakeman/checks/check_session_manipulation.rb, line 8
def run_check
  tracker.find_call(:method => :[]=, :target => :session).each do |result|
    process_result result
  end
end