def run_check
return if tracker.config.default_protect_from_forgery?
tracker.controllers
.select { |_, controller| controller.parent == "ActionController::Base""ActionController::Base" }
.each do |name, controller|
if controller and not controller.protect_from_forgery?
csrf_warning :controller => name,
:warning_code => :csrf_protection_missing,
:message => msg(msg_code("protect_from_forgery"), " should be called in ", msg_code(name)),
:file => controller.file,
:line => controller.top_line
elsif version_between? "4.0.0", "100.0.0" and forgery_opts = controller.options[:protect_from_forgery]
unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and
access_arg.value == :exception
args = {
:controller => name,
:warning_type => "Cross-Site Request Forgery",
:warning_code => :csrf_not_protected_by_raising_exception,
:message => msg(msg_code("protect_from_forgery"), " should be configured with ", msg_code("with: :exception")),
:confidence => :medium,
:file => controller.file
}
args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array)
csrf_warning args
end
end
if controller.options[:protect_from_forgery]
check_cve_2011_0447
end
end
end