Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brakeman does not catch lack of protect_from_forgery in Rails engines #664

Closed
tomekr opened this issue Jun 16, 2015 · 2 comments
Closed

Brakeman does not catch lack of protect_from_forgery in Rails engines #664

tomekr opened this issue Jun 16, 2015 · 2 comments

Comments

@tomekr
Copy link

tomekr commented Jun 16, 2015

It looks like the CheckForgerySetting will only check ApplicationController[1]. This becomes an issue when running the test against a Rails engine as the rails engine generator will throw the ApplicationController into a namespace (i.e. Foobar::ApplicationController) which the check will be unable to find. With help from @jjarmoc, we came up with putting the entire check into a block that grabs all ApplicationControllers via a regex:

  def run_check
    tracker.controllers.keys.select{|key| key =~ /.*ApplicationController/ }.each do |controller_key|
      app_controller = tracker.controllers[controller_key]

      return unless ancestor? app_controller, :"ActionController::Base"
      ...

This should catch CSRF when running brakeman against the Rails engine itself, however it becomes more complicated when attempting to find it in Rails engines that are in other Rails applications. It looks like engines used to be generated in the engines/ directory, but when following the documentation[2], the engine just shows up in the root as a directory with whatever name you give it. A possible way to detect this is via the routes file where AFAIK is how you tell Rails you want to use the engine using something like mount Blorgh::Engine => "/blorgh". This should tell you the Rails engines being used but I'm not sure how you would differentiate between a Rails engine that's a part of the source and a Rails engine that's coming from a gem. Maybe checking for the blorgh directory in the root and if it's not there assume it's coming from a gem?

[1]

brakeman/lib/brakeman/checks/check_forgery_setting.rb

Line 13 in a3dab55

app_controller = tracker.controllers[:ApplicationController]

[2] http://guides.rubyonrails.org/engines.html#generating-an-engine
@presidentbeef
Copy link
Owner

Hi Tomek,

Brakeman support for engines is quite spotty and I'm sure there is room for improvement. Right now it does load files from the /engines directory. Using the mount call to find the engine seems like a good idea to me. If the path can't be found, then it can't be found and it's not a big deal. The next step would probably be adding an option so you could point it at the engine directory - that would allow for pointing it at gems too.

@presidentbeef presidentbeef mentioned this issue Feb 16, 2016
Merged
@presidentbeef presidentbeef mentioned this issue Mar 31, 2016
Closed
This was referenced Apr 4, 2016
Closed
Closed
@presidentbeef
Copy link
Owner

Fixed with #953 and other referenced PRs.

Repository owner locked and limited conversation to collaborators Aug 7, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@presidentbeef @tomekr