Sha256: ae81bd8f695f1e96a496033b1ded178aeb3738435672c203053dbcba5c099387
Contents?: true
Size: 1.06 KB
Versions: 3
Compression:
Stored size: 1.06 KB
Contents
require 'brakeman/checks/base_check'
class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Warn on potentially dangerous attributes whitelisted via permit"
SUSPICIOUS_KEYS = {
admin: :high,
account_id: :high,
role: :medium,
banned: :medium,
}
def run_check
tracker.find_call(:method => :permit).each do |result|
check_permit result
end
end
def check_permit result
call = result[:call]
call.each_arg do |arg|
if symbol? arg
if SUSPICIOUS_KEYS.key? arg.value
warn_on_permit_key result, arg
elsif arg.value.match /_id$/
warn_on_permit_key result, arg, :medium
end
end
end
end
def warn_on_permit_key result, key, confidence = nil
warn :result => result,
:warning_type => "Mass Assignment",
:warning_code => :dangerous_permit_key,
:message => "Potentially dangerous key allowed for mass assignment",
:confidence => (confidence || SUSPICIOUS_KEYS[key.value]),
:user_input => key
end
end
Version data entries
3 entries across 3 versions & 3 rubygems