diff --git a/lib/brakeman/checks/check_mass_assignment.rb b/lib/brakeman/checks/check_mass_assignment.rb index 8c745e0d0614448b74b585977e8856457be9a9a4..8fae80d8072ed37d708b239ad0c6280b05c8cc34 100644 --- a/lib/brakeman/checks/check_mass_assignment.rb +++ b/lib/brakeman/checks/check_mass_assignment.rb @@ -82,6 +82,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck confidence = CONFIDENCE[:low] user_input = input.match end + elsif node_type? call.first_arg, :lit, :str + return else confidence = CONFIDENCE[:low] user_input = nil diff --git a/test/apps/rails_with_xss_plugin/app/controllers/users_controller.rb b/test/apps/rails_with_xss_plugin/app/controllers/users_controller.rb index e117f680b9080963c79a7dfe884cf53f3e00f7dd..9a140725d12807b8f3111f329af8198f19992f79 100644 --- a/test/apps/rails_with_xss_plugin/app/controllers/users_controller.rb +++ b/test/apps/rails_with_xss_plugin/app/controllers/users_controller.rb @@ -139,4 +139,8 @@ class UsersController < ApplicationController def test_sanitize @x = params[:x] end + + def string_mass + User.new("stuff") + end end diff --git a/test/tests/rails_with_xss_plugin.rb b/test/tests/rails_with_xss_plugin.rb index a5ab12964476ba07ba2dc7519343c25f8c998c33..adf2102280384ac77624633245c2634612b521ba 100644 --- a/test/tests/rails_with_xss_plugin.rb +++ b/test/tests/rails_with_xss_plugin.rb @@ -103,6 +103,17 @@ class RailsWithXssPluginTests < Test::Unit::TestCase :file => /users_controller\.rb/ end + def test_mass_assignment_with_string + assert_no_warning :type => :warning, + :warning_code => 17, + :fingerprint => "2893b1a48ec56548a5a48d38324c5d78f7845066713ad79bb0ec17032672c862", + :warning_type => "Mass Assignment", + :line => 97, + :message => /^Unprotected\ mass\ assignment/, + :confidence => 2, + :relative_path => "app/controllers/other_controller.rb", + :user_input => nil + end def test_redirect_to_model_instance assert_no_warning :type => :warning,