Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(policies): add rails sessions policy #173

Merged
merged 7 commits into from
Nov 30, 2022
Merged

feat(policies): add rails sessions policy #173

merged 7 commits into from
Nov 30, 2022

Conversation

elsapet
Copy link
Contributor

@elsapet elsapet commented Nov 28, 2022
edited
Loading

Description

  • Add support for Rails' leaking sessions policy
  • Some changes to detectors to support assignment node types (which can have anything - identifier, hash, etc - on the right hand side) -- thanks @vjerci for the help on this 🙏

Sample code:

class Users < ApplicationRecord
  session[:user_name] = "mish"
  session[:current_user] = user.first_name
end

Policy report


Policy Report

=====================================
Policy list:

- Session leaking
- Application level encryption missing
- Logger leaking


CRITICAL: Session leaking policy breach with Personal data
Session leaks detected

File: ../../Desktop/example/user.rb:4

 4 session[:current_user] = user.first_name

=====================================

Policy breaches detected

3 policies were run and 1 breaches were detected.

CRITICAL: 1 (Session leaking)
HIGH: 0
MEDIUM: 0
LOW: 0


exit status 1

Checklist

  • I've added test coverage that shows my fix or feature works as expected.
  • I've updated or added documentation if required.
  • I've included usage information in the description if CLI behavior was updated or added.
  • PR title follows Conventional Commits format

@swarmia
Copy link

swarmia bot commented Nov 28, 2022

✅  Linked to AMA-3274 · Session Leaking
➡️  Part of AMA-3273 · Ruby Policies
➡️  Part of AMA-2947 · OSS - Curio CLI

@elsapet elsapet force-pushed the AMA-3274-session-leaking branch 2 times, most recently from 75f5462 to 9761552 Compare November 29, 2022 15:37
@elsapet elsapet changed the title WIP feat(policies): add rails sessions policy Nov 29, 2022
@elsapet elsapet marked this pull request as ready for review November 29, 2022 15:43
@elsapet elsapet requested review from cfabianski and vjerci and removed request for cfabianski November 29, 2022 15:52
cfabianski
cfabianski reviewed Nov 29, 2022
View reviewed changes
Copy link
Collaborator

@cfabianski cfabianski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think?

pkg/commands/process/settings/custom_detector.yml Show resolved Hide resolved
cfabianski
cfabianski reviewed Nov 30, 2022
View reviewed changes
curio.yml Outdated Show resolved Hide resolved
pkg/commands/process/settings/policies.yml Show resolved Hide resolved
@elsapet elsapet merged commit 74cd2e3 into main Nov 30, 2022
@elsapet elsapet deleted the AMA-3274-session-leaking branch November 30, 2022 10:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfabianski cfabianski cfabianski approved these changes

@vjerci vjerci Awaiting requested review from vjerci

@didroe didroe Awaiting requested review from didroe

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@elsapet @cfabianski