Class: RuboCop::Cop::GitlabSecurity::DeepMunge

Inherits:

Base

• Object
• Base
• RuboCop::Cop::GitlabSecurity::DeepMunge

Defined in:

lib/rubocop/cop/gitlab_security/deep_munge.rb

Overview

Checks for disabling the deep munge security control.

Disabling this security setting can leave the application open to unsafe query generation

See CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

Examples:

# bad
config.action_dispatch.perform_deep_munge = false

# bad
config.action_dispatch.perform_deep_munge = !true

# good
config.action_dispatch.perform_deep_munge = true

# good
# Deep munge is not explicitly disabled

Constant Summary

MSG =

'Never disable the deep munge security option.'

Instance Method Summary

• #disable_deep_munge?(node) ⇒ Object
• #on_send(node) ⇒ Object

Instance Method Details

#disable_deep_munge?(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/deep_munge.rb', line 31

def_node_matcher :disable_deep_munge?, <<-PATTERN
  (send
    (send (send nil? :config) :action_dispatch) :perform_deep_munge=
      { (false) (send true :!) }
  )
PATTERN

#on_send(node) ⇒ Object

# File 'lib/rubocop/cop/gitlab_security/deep_munge.rb', line 38

def on_send(node)
  return unless disable_deep_munge?(node)

  add_offense(node.loc.selector)
end