class Brakeman::CheckDigestDoS

Public Instance Methods

run_check() click to toggle source
# File lib/brakeman/checks/check_digest_dos.rb, line 8
def run_check
  message = msg("Vulnerability in digest authentication ", msg_cve("CVE-2012-3424"), ". Upgrade to ")

  if version_between? "3.0.0", "3.0.15"
    message << msg_version("3.0.16")
  elsif version_between? "3.1.0", "3.1.6"
    message << msg_version("3.1.7")
  elsif version_between? "3.2.0", "3.2.5"
    message << msg_version("3.2.7")
  else
    return
  end

  if with_http_digest?
    confidence = :high
  else
    confidence = :weak
  end

  warn :warning_type => "Denial of Service",
    :warning_code => :CVE_2012_3424,
    :message => message,
    :confidence => confidence,
    :link_path => "https://groups.google.com/d/topic/rubyonrails-security/vxJjrc15qYM/discussion",
    :gem_info => gemfile_or_environment
end
with_http_digest?() click to toggle source
# File lib/brakeman/checks/check_digest_dos.rb, line 35
def with_http_digest?
  not tracker.find_call(:target => false, :method => [:authenticate_or_request_with_http_digest, :authenticate_with_http_digest]).empty?
end