class Brakeman::CheckModelAttrAccessible

Author: Paul Deardorff (themetric) Checks models to see if important foreign keys or attributes are exposed as attr_accessible when they probably shouldn't be.

Constants

SUSP_ATTRS

Public Instance Methods

check_models() { |name, model| ... } click to toggle source
# File lib/brakeman/checks/check_model_attr_accessible.rb, line 48
def check_models
  tracker.models.each do |name, model|
    if !model.attr_accessible.nil?
      yield name, model
    end
  end
end
role_limited?(model, attribute) click to toggle source
# File lib/brakeman/checks/check_model_attr_accessible.rb, line 42
def role_limited? model, attribute
  role_accessible = model.role_accessible
  return if role_accessible.nil?
  role_accessible.include? attribute
end
run_check() click to toggle source
# File lib/brakeman/checks/check_model_attr_accessible.rb, line 21
def run_check
  check_models do |name, model|
    model.attr_accessible.each do |attribute|
      next if role_limited? model, attribute

      SUSP_ATTRS.each do |susp_attr, confidence|
        if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
          warn :model => model,
            :file => model.file,
            :warning_type => "Mass Assignment",
            :warning_code => :dangerous_attr_accessible,
            :message => "Potentially dangerous attribute available for mass assignment",
            :confidence => confidence,
            :code => Sexp.new(:lit, attribute)
          break # Prevent from matching single attr multiple times
        end
      end
    end
  end
end