Sha256: c1fa76b75bf045f0bfafd555ac14a2ea5813d443ca6d3736a94bd50f4a0c2c9f

Contents?: true

Size: 1.71 KB

Versions: 4

Compression:

Stored size: 1.71 KB

Contents

require 'railroader/checks/base_check'

# Author: Paul Deardorff (themetric)
# Checks models to see if important foreign keys
# or attributes are exposed as attr_accessible when
# they probably shouldn't be.

class Railroader::CheckModelAttrAccessible < Railroader::BaseCheck
  Railroader::Checks.add self

  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."

  SUSP_ATTRS = [
    [:admin, :high], # Very dangerous unless some Rails authorization used
    [:role, :medium],
    [:banned, :medium],
    [:account_id, :high],
    [/\S*_id(s?)\z/, :weak] # All other foreign keys have weak/low confidence
  ]

  def run_check
    check_models do |name, model|
      model.attr_accessible.each do |attribute|
        next if role_limited? model, attribute

        SUSP_ATTRS.each do |susp_attr, confidence|
          if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
            warn :model => name,
              :file => model.file,
              :warning_type => "Mass Assignment",
              :warning_code => :dangerous_attr_accessible,
              :message => "Potentially dangerous attribute available for mass assignment",
              :confidence => confidence,
              :code => Sexp.new(:lit, attribute)
            break # Prevent from matching single attr multiple times
          end
        end
      end
    end
  end

  def role_limited? model, attribute
    role_accessible = model.role_accessible
    return if role_accessible.nil?
    role_accessible.include? attribute
  end

  def check_models
    tracker.models.each do |name, model|
      if !model.attr_accessible.nil?
        yield name, model
      end
    end
  end
end

Version data entries

4 entries across 4 versions & 1 rubygems

Version Path
railroader-4.3.8 lib/railroader/checks/check_model_attr_accessible.rb
railroader-4.3.7 lib/railroader/checks/check_model_attr_accessible.rb
railroader-4.3.5 lib/railroader/checks/check_model_attr_accessible.rb
railroader-4.3.4 lib/railroader/checks/check_model_attr_accessible.rb