check_mass_assignment.rb in brakeman-1.6.0.pre1

- old
+ new

@@ -19,16 +19,14 @@
       end
     end
 
     return if models.empty?
 
-    @results = Set.new
 
     Brakeman.debug "Finding possible mass assignment calls on #{models.length} models"
     calls = tracker.find_call :chained => true, :targets => models, :methods => [:new,
       :attributes=, 
-      :update_attribute, 
       :update_attributes, 
       :update_attributes!,
       :create,
       :create!,
       :build]
@@ -43,29 +41,37 @@
   def process_result res
     call = res[:call]
 
     check = check_call call
 
-    if check and not @results.include? call
-      @results << call
+    if check and not call.original_line and not duplicate? res
+      add_result res
 
       model = tracker.models[res[:chain].first]
 
       attr_protected = (model and model[:options][:attr_protected])
 
       if attr_protected and tracker.options[:ignore_attr_protected]
         return
-      elsif include_user_input? call[3] and not hash? call[3][1] and not attr_protected
-        confidence = CONFIDENCE[:high]
+      elsif input = include_user_input?(call[3])
+        if not hash? call[3][1] and not attr_protected
+          confidence = CONFIDENCE[:high]
+          user_input = input.match
+        else
+          confidence = CONFIDENCE[:low]
+          user_input = input.match
+        end
       else
         confidence = CONFIDENCE[:low]
+        user_input = nil
       end
       
       warn :result => res, 
         :warning_type => "Mass Assignment", 
         :message => "Unprotected mass assignment",
         :line => call.line,
         :code => call, 
+        :user_input => user_input,
         :confidence => confidence
     end
 
     res
   end