Warn on all uses of permit!

7dabe237 · Justin Collins · eabbc9dd · 7dabe237 · 7dabe237 · 7dabe237
3 changed file
--- a/lib/brakeman/checks/check_mass_assignment.rb
+++ b/lib/brakeman/checks/check_mass_assignment.rb
@@ -172,16 +172,19 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
  end

  def warn_on_permit! result
-    return if duplicate? result or
-              result[:call].original_line or
-              not subsequent_mass_assignment? result
-
+    return if duplicate? result or result[:call].original_line
    add_result result

+    confidence = if subsequent_mass_assignment? result
+                   CONFIDENCE[:high]
+                 else
+                   CONFIDENCE[:med]
+                 end
+
    warn :result => result,
      :warning_type => "Mass Assignment",
      :warning_code => :mass_assign_permit!,
      :message => "Parameters should be whitelisted for mass assignment",
-      :confidence => CONFIDENCE[:high]
+      :confidence => confidence
  end
 end
--- a/test/apps/rails4/app/controllers/friendly_controller.rb
+++ b/test/apps/rails4/app/controllers/friendly_controller.rb
@@ -24,18 +24,18 @@ class FriendlyController
  end

  def mass_assign_protected_model
-    # Should not warn because Account uses attr_accessible
+    # Warns with medium confidence because Account uses attr_accessible
    params.permit!
    Account.new(params)
  end

  def permit_without_usage
-    # Should not warn because there is no mass assignment
+    # Warns with medium confidence because there is no mass assignment
    params.permit!
  end

  def permit_after_usage
-    # Should not warn because permit! is called after mass assignment
+    # Warns with medium confidence because permit! is called after mass assignment
    User.new(params)
    params.permit!
  end

--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -15,7 +15,7 @@ class Rails4Tests < Test::Unit::TestCase
      :controller => 0,
      :model => 0,
      :template => 1,
-      :generic => 10
+      :generic => 13
    }
  end

@@ -211,33 +211,33 @@ class Rails4Tests < Test::Unit::TestCase
      :relative_path => "app/controllers/friendly_controller.rb",
      :user_input => nil

-    assert_no_warning :type => :warning,
+    assert_warning :type => :warning,
      :warning_code => 70,
-      :fingerprint => "cf2c82b751c8a1ce6a12ad89832cf7da43676032b058278ae65e8895bd6e8a57",
+      :fingerprint => "2f2df4aef71799a6a441783b50e7a43a9bed7da6c8d50e07e73d9d165065ceec",
      :warning_type => "Mass Assignment",
      :line => 28,
      :message => /^Parameters\ should\ be\ whitelisted\ for\ mas/,
-      :confidence => 0,
+      :confidence => 1,
      :relative_path => "app/controllers/friendly_controller.rb",
      :user_input => nil

-    assert_no_warning :type => :warning,
+    assert_warning :type => :warning,
      :warning_code => 70,
-      :fingerprint => "5495f802e6d3851519c6b911ffb8bfb039e51a77072cf8224306d54e20cf0e9e",
+      :fingerprint => "4f6a0d82f6ddf5528f3d50545ce353f2f1658d5102a745107ea572af5c2eee4b",
      :warning_type => "Mass Assignment",
      :line => 34,
      :message => /^Parameters\ should\ be\ whitelisted\ for\ mas/,
-      :confidence => 0,
+      :confidence => 1,
      :relative_path => "app/controllers/friendly_controller.rb",
      :user_input => nil

-    assert_no_warning :type => :warning,
+    assert_warning :type => :warning,
      :warning_code => 70,
-      :fingerprint => "f8984beda14640a9c6baa25e8046d8bd6943493425b142174292c804b7afc63e",
+      :fingerprint => "947bddec4cdd3ff8b2485eec1bd0078352c182a3bca18a5f68da0a64e87d4e80",
      :warning_type => "Mass Assignment",
      :line => 40,
      :message => /^Parameters\ should\ be\ whitelisted\ for\ mas/,
-      :confidence => 0,
+      :confidence => 1,
      :relative_path => "app/controllers/friendly_controller.rb",
      :user_input => nil
  end