Sha256: 236ec52dee37430c8d97b8ab712494c22e123f7603fd2f64dc9aa70e63205804
Contents?: true
Size: 1.63 KB
Versions: 2
Compression:
Stored size: 1.63 KB
Contents
require 'brakeman/checks/base_check'
# Author: Paul Deardorff (themetric)
# Checks models to see if important foreign keys
# or attributes are exposed as attr_accessible when
# they probably shouldn't be.
class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
SUSP_ATTRS = {
/admin/ => CONFIDENCE[:high], # Very dangerous unless some Rails authorization used
/role/ => CONFIDENCE[:med],
/banned/ => CONFIDENCE[:med],
:account_id => CONFIDENCE[:high],
/\S*_id(s?)\z/ => CONFIDENCE[:low] # All other foreign keys have weak/low confidence
}
def run_check
check_models do |name, model|
accessible_attrs = model[:attr_accessible]
accessible_attrs.each do |attribute|
SUSP_ATTRS.each do |susp_attr, confidence|
if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
warn :model => name,
:file => model[:file],
:warning_type => "Mass Assignment",
:warning_code => :mass_assign_call,
:message => "Potentially dangerous attribute #{attribute} available for mass assignment.",
:confidence => confidence
break # Prevent from matching single attr multiple times
end
end
end
end
end
def check_models
tracker.models.each do |name, model|
if !model[:attr_accessible].nil?
yield name, model
end
end
end
end
Version data entries
2 entries across 2 versions & 2 rubygems
| Version | Path |
|---|---|
| brakeman-min-2.1.0 | lib/brakeman/checks/check_model_attr_accessible.rb |
| brakeman-2.1.0 | lib/brakeman/checks/check_model_attr_accessible.rb |