-
Notifications
You must be signed in to change notification settings - Fork 722
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check forgery setting in all direct subclasses of ActionController::Base #858
Check forgery setting in all direct subclasses of ActionController::Base #858
Conversation
… of ActionController::Base
:confidence => CONFIDENCE[:high], | ||
:file => app_controller.file | ||
if tracker.config.allow_forgery_protection? | ||
warn :controller => name, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we want to generate this warning for every controller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will only generate a warning for a controller that directly inherits from ActionController::Base
. Will that be an issue? I would imagine that there may be apps that has more than one controllers that inherits from ActionController::Base
. Like say the ApplicationController
and AdminController
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's warning about a global setting (that probably no one ever uses), so it doesn't make sense to warn about it for every controller that inherits from ActionController::Base
. Actually it doesn't make sense to tie it to a controller at all, but this code was written over five years ago and I didn't know what I was doing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I factored out that check from the .each
iteration. One side effect of that is that for the rails3.rb
test, we prioritize the warning of CVE20110447 over the missing protect_from_forgery
call. See https://github.com/presidentbeef/brakeman/pull/858/files#diff-29d5ade8f0be60f47a3073ebab75b8d4L386. Which kind of makes sense in my opinion because there's no point asking the user to add the call to when rails need upgrading or patching in the first place.
Closing, will merge with #953 |
This fixes #848. This is the second part to fix #664. Instead of just scanning controllers named
ApplicationController
, we scan direct subclasses ofActionController::Base
instead.Once we have both this PR and #857 merged, we can close #664. 😉