lib/brakeman/checks/check_mass_assignment.rb in brakeman-4.8.2 vs lib/brakeman/checks/check_mass_assignment.rb in brakeman-4.9.0
- old
+ new
@@ -158,16 +158,31 @@
end
# Look for and warn about uses of Parameters#permit! for mass assignment
def check_permit!
tracker.find_call(:method => :permit!, :nested => true).each do |result|
- if params? result[:call].target and not result[:chain].include? :slice
- warn_on_permit! result
+ if params? result[:call].target
+ unless inside_safe_method? result or calls_slice? result
+ warn_on_permit! result
+ end
end
end
end
+ # Ignore blah_some_path(params.permit!)
+ def inside_safe_method? result
+ parent_call = result.dig(:parent, :call)
+
+ call? parent_call and
+ parent_call.method.match(/_path$/)
+ end
+
+ def calls_slice? result
+ result[:chain].include? :slice or
+ (result[:full_call] and result[:full_call][:chain].include? :slice)
+ end
+
# Look for actual use of params in mass assignment to avoid
# warning about uses of Parameters#permit! without any mass assignment
# or when mass assignment is restricted by model instead.
def subsequent_mass_assignment? result
location = result[:location]
@@ -189,11 +204,11 @@
end
warn :result => result,
:warning_type => "Mass Assignment",
:warning_code => :mass_assign_permit!,
- :message => "Parameters should be whitelisted for mass assignment",
+ :message => msg('Specify exact keys allowed for mass assignment instead of using ', msg_code('permit!'), ' which allows any keys'),
:confidence => confidence
end
def check_permit_all_parameters
tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
@@ -201,10 +216,10 @@
if true? call.first_arg
warn :result => result,
:warning_type => "Mass Assignment",
:warning_code => :mass_assign_permit_all,
- :message => "Parameters should be whitelisted for mass assignment",
+ :message => msg('Mass assignment is globally enabled. Disable and specify exact keys using ', msg_code('params.permit'), ' instead'),
:confidence => :high
end
end
end
end