class Brakeman::CheckPermitAttributes

Constants

SUSPICIOUS_KEYS

Public Instance Methods

check_permit(result) click to toggle source
# File lib/brakeman/checks/check_permit_attributes.rb, line 21
def check_permit result
  return unless original? result

  call = result[:call]

  call.each_arg do |arg|
    if symbol? arg
      if SUSPICIOUS_KEYS.key? arg.value
        warn_on_permit_key result, arg
      end
    end
  end
end
run_check() click to toggle source
# File lib/brakeman/checks/check_permit_attributes.rb, line 15
def run_check
  tracker.find_call(:method => :permit).each do |result|
    check_permit result
  end
end
warn_on_permit_key(result, key, confidence = nil) click to toggle source
# File lib/brakeman/checks/check_permit_attributes.rb, line 35
def warn_on_permit_key result, key, confidence = nil
  warn :result => result,
    :warning_type => "Mass Assignment",
    :warning_code => :dangerous_permit_key,
    :message => "Potentially dangerous key allowed for mass assignment",
    :confidence => (confidence || SUSPICIOUS_KEYS[key.value]),
    :user_input => key
end