Do not warn on redirects to Model#create/create!

9c89cd03 · Justin Collins · 25a41dfc · 9c89cd03 · 9c89cd03 · 9c89cd03
3 changed file
--- a/lib/brakeman/checks/check_redirect.rb
+++ b/lib/brakeman/checks/check_redirect.rb
@@ -13,7 +13,7 @@ class Brakeman::CheckRedirect < Brakeman::BaseCheck
  def run_check
    Brakeman.debug "Finding calls to redirect_to()"

-    @model_find_calls = Set[:all, :find, :find_by_sql, :first, :last, :new]
+    @model_find_calls = Set[:all, :create, :create!, :find, :find_by_sql, :first, :last, :new]

    if tracker.options[:rails3]
      @model_find_calls.merge [:from, :group, :having, :joins, :lock, :order, :reorder, :select, :where]

--- a/test/apps/rails4/app/controllers/application_controller.rb
+++ b/test/apps/rails4/app/controllers/application_controller.rb
@@ -6,4 +6,16 @@ class ApplicationController < ActionController::Base
  def show_detailed_exceptions?
    true
  end
+
+  def redirect_to_created_model
+    if create
+      @model = User.create
+      @model.save!
+      redirect_to @model
+    else
+      @model = User.create!
+      @model.save
+      redirect_to @model
+    end
+  end
 end
--- a/test/tests/rails4.rb
+++ b/test/tests/rails4.rb
@@ -19,6 +19,28 @@ class Rails4Tests < Test::Unit::TestCase
    }
  end

+  def test_redirects_to_created_model_do_not_warn
+    assert_no_warning :type => :warning,
+      :warning_code => 18,
+      :fingerprint => "fedba22f0fbcd96dcaa0b2628ccedba2c0880870992d05b817697efbb36e134f",
+      :warning_type => "Redirect",
+      :line => 14,
+      :message => /^Possible\ unprotected\ redirect/,
+      :confidence => 0,
+      :relative_path => "app/controllers/application_controller.rb",
+      :user_input => s(:call, s(:const, :User), :create)
+
+    assert_no_warning :type => :warning,
+      :warning_code => 18,
+      :fingerprint => "1d2d4b0a59ed26a6d591094714dbee81a60a3e686429a44fe2d80f87b94bc555",
+      :warning_type => "Redirect",
+      :line => 18,
+      :message => /^Possible\ unprotected\ redirect/,
+      :confidence => 0,
+      :relative_path => "app/controllers/application_controller.rb",
+      :user_input => s(:call, s(:const, :User), :create!)
+  end
+
  def test_session_secret_token
    assert_warning :type => :generic,
      :warning_type => "Session Setting",