class Brakeman::CheckWithoutProtection

Check for bypassing mass assignment protection with without_protection => true

Only for Rails 3.1

Public Instance Methods

all_literals?(call) click to toggle source
# File lib/brakeman/checks/check_without_protection.rb, line 66
def all_literals? call
  call.each_arg do |arg|
    if hash? arg
      hash_iterate arg do |k, v|
        unless node_type? k, :str, :lit, :false, :true and node_type? v, :str, :lit, :false, :true
          return false
        end
      end
    else
      return false
    end
  end

  true
end
process_result(res) click to toggle source

All results should be Model.new(…) or Model.attributes=() calls

# File lib/brakeman/checks/check_without_protection.rb, line 34
def process_result res
  call = res[:call]
  last_arg = call.last_arg

  if hash? last_arg and not call.original_line and not duplicate? res

    if value = hash_access(last_arg, :without_protection)
      if true? value
        add_result res

        if input = include_user_input?(call.arglist)
          confidence = :high
        elsif all_literals? call
          return
        else
          confidence = :medium
        end

        warn :result => res, 
          :warning_type => "Mass Assignment", 
          :warning_code => :mass_assign_without_protection,
          :message => "Unprotected mass assignment",
          :code => call, 
          :user_input => input,
          :confidence => confidence,
          :cwe_id => [915]

      end
    end
  end
end
run_check() click to toggle source
# File lib/brakeman/checks/check_without_protection.rb, line 12
def run_check
  if version_between? "0.0.0", "3.0.99"
    return
  end

  return if active_record_models.empty?

  Brakeman.debug "Finding all mass assignments"
  calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new,
    :attributes=, 
    :update_attributes, 
    :update_attributes!,
    :create,
    :create!]

  Brakeman.debug "Processing all mass assignments"
  calls.each do |result|
    process_result result
  end
end