Sha256: e7aefc116038c49743a821bac3245d2c53a0e85ca1bd31e3956ae4ff061642ab
Contents?: true
Size: 1.73 KB
Versions: 2
Compression:
Stored size: 1.73 KB
Contents
require 'brakeman/checks/base_check'
#Check for bypassing mass assignment protection
#with without_protection => true
#
#Only for Rails 3.1
class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Check for mass assignment using without_protection"
def run_check
if version_between? "0.0.0", "3.0.99"
return
end
models = []
tracker.models.each do |name, m|
if parent? m, :"ActiveRecord::Base"
models << name
end
end
return if models.empty?
Brakeman.debug "Finding all mass assignments"
calls = tracker.find_call :targets => models, :methods => [:new,
:attributes=,
:update_attributes,
:update_attributes!,
:create,
:create!]
Brakeman.debug "Processing all mass assignments"
calls.each do |result|
process_result result
end
end
#All results should be Model.new(...) or Model.attributes=() calls
def process_result res
call = res[:call]
last_arg = call[3][-1]
if hash? last_arg and not call.original_line and not duplicate? res
if value = hash_access(last_arg, :without_protection)
if true? value
add_result res
if input = include_user_input?(call[3])
confidence = CONFIDENCE[:high]
user_input = input.match
else
confidence = CONFIDENCE[:med]
user_input = nil
end
warn :result => res,
:warning_type => "Mass Assignment",
:message => "Unprotected mass assignment",
:line => call.line,
:code => call,
:user_input => user_input,
:confidence => confidence
end
end
end
end
end
Version data entries
2 entries across 2 versions & 1 rubygems
| Version | Path |
|---|---|
| brakeman-1.6.0 | lib/brakeman/checks/check_without_protection.rb |
| brakeman-1.6.0.pre1 | lib/brakeman/checks/check_without_protection.rb |