Sha256: cd8fe9e08df29e9918059343238f7da68a68ee1665ceab40542f2e23209d4131

Contents?: true

Size: 1.78 KB

Versions: 20

Compression:

Stored size: 1.78 KB

Contents

require 'brakeman/checks/base_check'

# Author: Paul Deardorff (themetric)
# Checks models to see if important foreign keys
# or attributes are exposed as attr_accessible when
# they probably shouldn't be.

class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
  Brakeman::Checks.add self

  @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."

  SUSP_ATTRS = [
    [:admin, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
    [:role, CONFIDENCE[:med]],
    [:banned, CONFIDENCE[:med]],
    [:account_id, CONFIDENCE[:high]],
    [/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
  ]

  def run_check
    check_models do |name, model|
      model[:attr_accessible].each do |attribute|
        next if role_limited? model, attribute

        SUSP_ATTRS.each do |susp_attr, confidence|
          if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
            warn :model => name,
              :file => model[:files].first,
              :warning_type => "Mass Assignment",
              :warning_code => :dangerous_attr_accessible,
              :message => "Potentially dangerous attribute available for mass assignment",
              :confidence => confidence,
              :code => Sexp.new(:lit, attribute)
            break # Prevent from matching single attr multiple times
          end
        end
      end
    end
  end

  def role_limited? model, attribute
    role_accessible = model[:options][:role_accessible]
    return if role_accessible.nil?
    role_accessible.include? attribute
  end

  def check_models
    tracker.models.each do |name, model|
      if !model[:attr_accessible].nil?
        yield name, model
      end
    end
  end
end

Version data entries

20 entries across 20 versions & 2 rubygems

Version Path
brakeman-3.0.5 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-3.0.5 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-3.0.4 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-3.0.4 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-3.0.3 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-3.0.3 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-3.0.2 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-3.0.2 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-3.0.1 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-3.0.1 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-3.0.0 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-3.0.0 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-2.6.3 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-2.6.3 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-2.6.2 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-2.6.2 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-2.6.1 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-2.6.1 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-min-2.6.0 lib/brakeman/checks/check_model_attr_accessible.rb
brakeman-2.6.0 lib/brakeman/checks/check_model_attr_accessible.rb