class Railroader::CheckWithoutProtection
Check for bypassing mass assignment protection with without_protection => true
Only for Rails 3.1
Public Instance Methods
all_literals?(call)
click to toggle source
# File lib/railroader/checks/check_without_protection.rb, line 64 def all_literals? call call.each_arg do |arg| if hash? arg hash_iterate arg do |k, v| unless node_type? k, :str, :lit, :false, :true and node_type? v, :str, :lit, :false, :true return false end end else return false end end true end
process_result(res)
click to toggle source
All results should be Model.new(…) or Model.attributes=() calls
# File lib/railroader/checks/check_without_protection.rb, line 33 def process_result res call = res[:call] last_arg = call.last_arg if hash? last_arg and not call.original_line and not duplicate? res if value = hash_access(last_arg, :without_protection) if true? value add_result res if input = include_user_input?(call.arglist) confidence = :high elsif all_literals? call return else confidence = :medium end warn :result => res, :warning_type => "Mass Assignment", :warning_code => :mass_assign_without_protection, :message => "Unprotected mass assignment", :code => call, :user_input => input, :confidence => confidence end end end end
run_check()
click to toggle source
# File lib/railroader/checks/check_without_protection.rb, line 12 def run_check if version_between? "0.0.0", "3.0.99" return end return if active_record_models.empty? Railroader.debug "Finding all mass assignments" calls = tracker.find_call :targets => active_record_models.keys, :methods => [ :new, :attributes=, :update_attributes, :update_attributes!, :create, :create! ] Railroader.debug "Processing all mass assignments" calls.each do |result| process_result result end end