makes attr_accessible model warnings have a fingerprint which will include the...

makes attr_accessible model warnings have a fingerprint which will include the attribute in the uniqueness calculation

makes attr_accessible model warnings have a fingerprint which will include the...
makes attr_accessible model warnings have a fingerprint which will include the attribute in the uniqueness calculation
47110f55 · Case Taintor · f03a143d · 47110f55 · 47110f55 · 47110f55
5 changed file
--- a/lib/brakeman/checks/check_model_attr_accessible.rb
+++ b/lib/brakeman/checks/check_model_attr_accessible.rb
@@ -30,7 +30,8 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
              :warning_type => "Mass Assignment",
              :warning_code => :dangerous_attr_accessible,
              :message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
-              :confidence => confidence
+              :confidence => confidence,
+              :method => attribute
            break # Prevent from matching single attr multiple times
          end
        end

--- a/lib/brakeman/warning.rb
+++ b/lib/brakeman/warning.rb
@@ -175,6 +175,7 @@ class Brakeman::Warning
      location = { :type => :template, :template => self.view_name }
    when :model
      location = { :type => :model, :model => self.model }
+      location.merge!(:method => self.method) if self.method
    when :controller
      location = { :type => :controller, :controller => self.controller }
    when :warning

--- a/test/tests/rails3.rb
+++ b/test/tests/rails3.rb
@@ -1037,7 +1037,7 @@ class Rails3Tests < Test::Unit::TestCase

  def test_remote_code_execution_CVE_2013_0277_unprotected
    assert_warning :type => :model,
-      :fingerprint => "b85602475eb048cfe7941b5952c3d5a09a7d9d0607f81fbf2b7578d1055fec90",
+      :fingerprint => "02022e54bf2419c752eba5d02b724bd288f96041ad8a7c9dbf3dc69bbfa385a9",
      :warning_type => "Remote Code Execution",
      :message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
      :confidence => 0,

--- a/test/tests/rails32.rb
+++ b/test/tests/rails32.rb
@@ -260,7 +260,7 @@ class Rails32Tests < Test::Unit::TestCase
  def test_model_attr_accessible_account_id
    assert_warning :type => :model,
      :warning_code => 60,
-      :fingerprint => "1d6615676c39afae6d749891e45d7351423542b3fe71a6eaf088bf7573e5c4b0",
+      :fingerprint => "30b226f608916087d7e53c6e5bf39f1cb5fdaed268aa12629e7fe34844f04fb3",
      :warning_type => "Mass Assignment",
      :message => /^Potentially\ dangerous\ attribute\ 'account_id'/,
      :confidence => 0,
@@ -291,6 +291,9 @@ class Rails32Tests < Test::Unit::TestCase
      :message => /^Potentially\ dangerous\ attribute\ 'plan_id'/,
      :confidence => 2, 
      :file => /account\.rb/
-  end 
+  end

+  def test_two_distinct_warnings_cant_have_same_fingerprint
+    assert_equal report[:model_warnings].map(&:fingerprint), report[:model_warnings].map(&:fingerprint).uniq
+  end
 end
--- a/test/tests/rails4_with_engines.rb
+++ b/test/tests/rails4_with_engines.rb
@@ -198,7 +198,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
  def test_mass_assignment_12
    assert_warning :type => :model,
      :warning_code => 60,
-      :fingerprint => "18df17e4364b62c4ba1c6e2849f8302592c68d196ab43f753639f9043c1e4014",
+      :fingerprint => "6eab87f7d7a130b4762ba10184614f9f8780e95625857b11e42505ee4a82d04f",
      :warning_type => "Mass Assignment",
      #noline,
      :message => /^Potentially\ dangerous\ attribute\ 'plan_id/,
@@ -209,7 +209,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
  def test_mass_assignment_13
    assert_warning :type => :model,
      :warning_code => 60,
-      :fingerprint => "e2fb5b0d650caf257ef86e32b101f9488738388e91039cc130c365a8df9b83fb",
+      :fingerprint => "9e552d6eac8dc68eb6e3a41cb838756802bcee812ab264e3d089d385566c4df0",
      :warning_type => "Mass Assignment",
      #noline,
      :message => /^Potentially\ dangerous\ attribute\ 'banned'/,
@@ -220,7 +220,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
  def test_mass_assignment_14
    assert_warning :type => :model,
      :warning_code => 60,
-      :fingerprint => "6276c85369c13ed06f18ca1dd9a7ef076077154e98f0c29b7938b5649a7d115d",
+      :fingerprint => "fab5f6c9c06598732046931ee76049f31549502dd77b70dcf93562f62e81a3c0",
      :warning_type => "Mass Assignment",
      #noline,
      :message => /^Potentially\ dangerous\ attribute\ 'account/,
@@ -231,7 +231,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
  def test_mass_assignment_15
    assert_warning :type => :model,
      :warning_code => 60,
-      :fingerprint => "6276c85369c13ed06f18ca1dd9a7ef076077154e98f0c29b7938b5649a7d115d",
+      :fingerprint => "9b1cfaefacee0db06a58f558fb8dd6631fc43684da3c86368f0bfaf5cb6916e0",
      :warning_type => "Mass Assignment",
      #noline,
      :message => /^Potentially\ dangerous\ attribute\ 'admin'\ /,
@@ -242,7 +242,7 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
  def test_mass_assignment_16
    assert_warning :type => :model,
      :warning_code => 60,
-      :fingerprint => "6fd655a6dcf618e378d5f7e7b3a9c038ed9b29d66ab89f9c28343265b2ff6d75",
+      :fingerprint => "1668dd521bfcd7e2b387bcd5d636a35da24a7554eb612cc6096dc6bc41bb984f",
      :warning_type => "Mass Assignment",
      #noline,
      :message => /^Potentially\ dangerous\ attribute\ 'status_/,