Sha256: 3550046f7ad8968f70a8298eaadbc4b7a5993c304944ba891ea78ffbacc6041b
Contents?: true
Size: 1.74 KB
Versions: 8
Compression:
Stored size: 1.74 KB
Contents
require 'brakeman/checks/base_check'
# Author: Paul Deardorff (themetric)
# Checks models to see if important foreign keys
# or attributes are exposed as attr_accessible when
# they probably shouldn't be.
class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
SUSP_ATTRS = [
[:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
[:role, CONFIDENCE[:med]],
[:banned, CONFIDENCE[:med]],
[:account_id, CONFIDENCE[:high]],
[/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
]
def run_check
check_models do |name, model|
model[:attr_accessible].each do |attribute|
next if role_limited? model, attribute
SUSP_ATTRS.each do |susp_attr, confidence|
if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
warn :model => name,
:file => model[:file],
:warning_type => "Mass Assignment",
:warning_code => :dangerous_attr_accessible,
:message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
:confidence => confidence
break # Prevent from matching single attr multiple times
end
end
end
end
end
def role_limited? model, attribute
role_accessible = model[:options][:role_accessible]
return if role_accessible.nil?
role_accessible.include? attribute
end
def check_models
tracker.models.each do |name, model|
if !model[:attr_accessible].nil?
yield name, model
end
end
end
end
Version data entries
8 entries across 8 versions & 2 rubygems