Only warn on subclasses of ActiveRecord::Base

in SQL injection, format validation, mass assignment, and CVE-2010-3933 checks. Should fix #107

Only warn on subclasses of ActiveRecord::Base
in SQL injection, format validation, mass assignment, and CVE-2010-3933 checks. Should fix #107
156555bf · Justin Collins · 4624cd1c · 156555bf · 156555bf · 156555bf
4 changed file
--- a/lib/brakeman/checks/check_nested_attributes.rb
+++ b/lib/brakeman/checks/check_nested_attributes.rb
@@ -27,7 +27,7 @@ class Brakeman::CheckNestedAttributes < Brakeman::BaseCheck
  end

  def uses_nested_attributes?
-    tracker.models.each do |name, model|
+    active_record_models.each do |name, model|
      return true if model[:options][:accepts_nested_attributes_for]
    end


--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -24,7 +24,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    end

    Brakeman.debug "Finding possible SQL calls on models"
-    calls = tracker.find_call :targets => tracker.models.keys,
+    calls = tracker.find_call :targets => active_record_models.keys,
      :methods => @sql_targets,
      :chained => true

@@ -57,7 +57,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
    scope_calls = []

    if version_between? "2.1.0", "3.0.9"
-      tracker.models.each do |name, model|
+      active_record_models.each do |name, model|
        if model[:options][:named_scope]
          model[:options][:named_scope].each do |args|
            call = Sexp.new(:call, nil, :named_scope, args).line(args.line)
@@ -66,7 +66,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
        end
       end
    elsif version_between? "3.1.0", "3.9.9"
-      tracker.models.each do |name, model|
+      active_record_models.each do |name, model|
        if model[:options][:scope]
          model[:options][:scope].each do |args|
            second_arg = args[2]

--- a/lib/brakeman/checks/check_validation_regex.rb
+++ b/lib/brakeman/checks/check_validation_regex.rb
@@ -15,7 +15,7 @@ class Brakeman::CheckValidationRegex < Brakeman::BaseCheck
  WITH = Sexp.new(:lit, :with)

  def run_check
-    tracker.models.each do |name, model|
+    active_record_models.each do |name, model|
      @current_model = name
      format_validations = model[:options][:validates_format_of]
      if format_validations

--- a/lib/brakeman/checks/check_without_protection.rb
+++ b/lib/brakeman/checks/check_without_protection.rb
@@ -14,17 +14,10 @@ class Brakeman::CheckWithoutProtection < Brakeman::BaseCheck
      return
    end

-    models = []
-    tracker.models.each do |name, m|
-      if ancestor? m, :"ActiveRecord::Base"
-        models << name
-      end
-    end
-
-    return if models.empty?
+    return if active_record_models.empty?

    Brakeman.debug "Finding all mass assignments"
-    calls = tracker.find_call :targets => models, :methods => [:new,
+    calls = tracker.find_call :targets => active_record_models.keys, :methods => [:new,
      :attributes=, 
      :update_attributes, 
      :update_attributes!,