lib/brakeman/checks/check_mass_assignment.rb in brakeman-1.9.0 vs lib/brakeman/checks/check_mass_assignment.rb in brakeman-1.9.1

@@ -27,11 +27,17 @@
       :attributes=, 
       :update_attributes, 
       :update_attributes!,
       :create,
       :create!,
-      :build]
+      :build,
+      :first_or_create,
+      :first_or_create!,
+      :first_or_initialize!,
+      :assign_attributes,
+      :update
+    ]
 
     Brakeman.debug "Processing possible mass assignment calls"
     calls.each do |result|
       process_result result
     end
@@ -77,14 +83,19 @@
   end
 
   #Want to ignore calls to Model.new that have no arguments
   def check_call call
     process_call_args call
-    first_arg = call.first_arg
 
-    if first_arg.nil? #empty new()
+    if call.method == :update
+      arg = call.second_arg
+    else
+      arg = call.first_arg
+    end
+
+    if arg.nil? #empty new()
       false
-    elsif hash? first_arg and not include_user_input? first_arg
+    elsif hash? arg and not include_user_input? arg
       false
     elsif all_literal_args? call
       false
     else
       true