class Brakeman::CheckCreateWith

Public Instance Methods

danger_level(exp) click to toggle source

For a given create_with call, set confidence level. Ignore calls that use permit()

# File lib/brakeman/checks/check_create_with.rb, line 48
def danger_level exp
  return unless sexp? exp

  if call? exp and exp.method == :permit
    nil
  elsif request_value? exp
    :high
  elsif hash? exp
    nil
  elsif has_immediate_user_input?(exp)
    :high
  elsif include_user_input? exp
    :medium
  else
    :weak
  end
end
generic_warning() click to toggle source
# File lib/brakeman/checks/check_create_with.rb, line 66
def generic_warning
    warn :warning_type => "Mass Assignment",
      :warning_code => :CVE_2014_3514,
      :message => @message,
      :gem_info => gemfile_or_environment,
      :confidence => :medium,
      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
end
process_result(result) click to toggle source
# File lib/brakeman/checks/check_create_with.rb, line 28
def process_result result
  return unless original? result
  arg = result[:call].first_arg

  confidence = danger_level arg

  if confidence
    @warned = true

    warn :warning_type => "Mass Assignment",
      :warning_code => :CVE_2014_3514_call,
      :result => result,
      :message => @message,
      :confidence => confidence,
      :link_path => "https://groups.google.com/d/msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ"
  end
end
run_check() click to toggle source
# File lib/brakeman/checks/check_create_with.rb, line 8
def run_check
  @warned = false

  if version_between? "4.0.0", "4.0.8"
    suggested_version = "4.0.9"
  elsif version_between? "4.1.0", "4.1.4"
    suggested_version = "4.1.5"
  else
    return
  end

  @message = msg(msg_code("create_with"), " is vulnerable to strong params bypass. Upgrade to ", msg_version(suggested_version), " or patch")

  tracker.find_call(:method => :create_with, :nested => true).each do |result|
    process_result result
  end

  generic_warning unless @warned
end