Class: Brakeman::CheckWithoutProtection

Inherits:
BaseCheck
  • Object
show all
Defined in:
lib/brakeman/checks/check_without_protection.rb

Overview

Check for bypassing mass assignment protection with without_protection => true

Only for Rails 3.1

Constant Summary

Constant Summary

Constants inherited from BaseCheck

BaseCheck::CONFIDENCE

Constants included from Util

Util::ALL_PARAMETERS, Util::COOKIES, Util::PARAMETERS, Util::PATH_PARAMETERS, Util::QUERY_PARAMETERS, Util::REQUEST_PARAMETERS, Util::SESSION

Instance Attribute Summary

Attributes inherited from BaseCheck

#tracker, #warnings

Instance Method Summary (collapse)

Methods inherited from BaseCheck

#add_result, #initialize, #process_call, #process_cookies, #process_default, #process_params

Methods included from Util

#array?, #call?, #camelize, #cookies?, #false?, #hash?, #hash_insert, #hash_iterate, #integer?, #number?, #params?, #pluralize, #regexp?, #result?, #set_env_defaults, #sexp?, #string?, #symbol?, #true?, #underscore

Methods included from ProcessorHelper

#class_name, #process_module

Constructor Details

This class inherits a constructor from Brakeman::BaseCheck

Instance Method Details

- (Object) process_result(res)

All results should be Model.new(...) or Model.attributes=() calls



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
# File 'lib/brakeman/checks/check_without_protection.rb', line 42

def process_result res
  call = res[:call]
  last_arg = call[3][-1]

  if hash? last_arg and not @results.include? call

    hash_iterate(last_arg) do |k,v|
      if symbol? k and k[1] == :without_protection and v[0] == :true
        @results << call

        if include_user_input? call[3]
          confidence = CONFIDENCE[:high]
        else
          confidence = CONFIDENCE[:med]
        end

        warn :result => res, 
          :warning_type => "Mass Assignment", 
          :message => "Unprotected mass assignment",
          :line => call.line,
          :code => call, 
          :confidence => confidence

        break
      end
    end
  end
end

- (Object) run_check 



10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/brakeman/checks/check_without_protection.rb', line 10

def run_check
  if version_between? "0.0.0", "3.0.99"
    return
  end

  models = []
  tracker.models.each do |name, m|
    if parent?(tracker, m, :ActiveRecord::Base")
      models << name
    end
  end

  return if models.empty?

  @results = Set.new

  debug_info "Finding all mass assignments"
  calls = tracker.find_call :targets => models, :methods => [:new,
    :attributes=, 
    :update_attribute, 
    :update_attributes, 
    :update_attributes!,
    :create,
    :create!]

  debug_info "Processing all mass assignments"
  calls.each do |result|
    process_result result
  end
end