class Brakeman::CheckRansack
Public Instance Methods
check_ransack_calls()
click to toggle source
# File lib/brakeman/checks/check_ransack.rb, line 13 def check_ransack_calls tracker.find_call(method: :ransack, nested: true).each do |result| next unless original? result call = result[:call] arg = call.first_arg # If an allow list is defined anywhere in the # class or super classes, consider it safe class_name = result[:chain].first next if ransackable_allow_list?(class_name) if input = has_immediate_user_input?(arg) confidence = if tracker.find_class(class_name).nil? confidence = :low elsif result[:location][:file].relative.include? 'admin' confidence = :medium else confidence = :high end message = msg('Unrestricted search using ', msg_code('ransack'), ' library called with ', msg_input(input), '. Limit search by defining ', msg_code('ransackable_attributes'), ' and ', msg_code('ransackable_associations'), ' methods in class or upgrade Ransack to version 4.0.0 or newer') warn result: result, warning_type: 'Missing Authorization', warning_code: :ransack_search, message: message, user_input: input, confidence: confidence, cwe_id: [862], link: 'https://positive.security/blog/ransack-data-exfiltration' end end end
ransackable_allow_list?(class_name)
click to toggle source
# File lib/brakeman/checks/check_ransack.rb, line 49 def ransackable_allow_list? class_name tracker.find_method(:ransackable_attributes, class_name, :class) and tracker.find_method(:ransackable_associations, class_name, :class) end
run_check()
click to toggle source
# File lib/brakeman/checks/check_ransack.rb, line 8 def run_check return unless version_between? "0.0.0", "3.99", tracker.config.gem_version(:ransack) check_ransack_calls end