Class: Rails::Guarddog::Checkers::DosChecker

Inherits:
BaseChecker
  • Object
show all
Defined in:
lib/rails/guarddog/checkers/dos_checker.rb

Constant Summary collapse

UNBOUNDED_QUERY_PATTERN =

Matches .all only when it is the final call on an ActiveRecord-style model class (PascalCase constant), e.g.:

User.all            => flagged
Post.where(...).all => flagged

But NOT:

current_user.permissions.track_manage.all => NOT flagged (lowercase receiver)
collection.all? { }                       => NOT flagged (.all? method)
/
  (?:
    [A-Z][A-Za-z0-9_]*    # PascalCase model class  e.g. User, TrackItem
    (?:\.[a-z_]+\(.*?\))*  # optional chained scopes e.g. .where(...).order(...)
  )
  \.all                    # the .all call
  (?!\?)                   # not .all? (Enumerable method, not AR query)
  \s*(?:[,)\]#\n]|$)      # followed by end-of-expression (not .limit etc.)
/x.freeze
REDOS_PATTERNS =

Patterns known to be dangerous nested regex (ReDoS)

[
  /\/.+\*\+.*\*\+.+\//,
  /match\?.*\(.+\*\+/
].freeze
LOOKAHEAD_LINES =

How many lines ahead to search for a .limit() call. Covers both chained-on-next-line and separate-assignment styles.

3

Instance Attribute Summary

Attributes inherited from BaseChecker

#findings

Instance Method Summary collapse

Methods inherited from BaseChecker

#initialize

Constructor Details

This class inherits a constructor from Rails::Guarddog::Checkers::BaseChecker

Instance Method Details

#runObject



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# File 'lib/rails/guarddog/checkers/dos_checker.rb', line 32

def run
  glob_files('app/**/*.rb').each do |file|
    lines = File.readlines(file) rescue next

    lines.each_with_index do |line, idx|
      next if line.strip.start_with?('#')

      if line.match?(UNBOUNDED_QUERY_PATTERN) && !limit_applied?(lines, idx, line)
        add_finding(
          severity: :high,
          message: "Potential DoS: unbounded database query without limit",
          file: file,
          line: idx + 1,
          snippet: line.strip,
          remediation: "Add .limit() to control result size"
        )
      end

      if REDOS_PATTERNS.any? { |pat| line.match?(pat) }
        add_finding(
          severity: :high,
          message: "Potential ReDoS vulnerability: dangerous regex pattern",
          file: file,
          line: idx + 1,
          snippet: line.strip,
          remediation: "Simplify regex or use timeout mechanisms"
        )
      end
    end
  end
  findings
end