Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
bdddc3ee
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
bdddc3ee
编写于
12月 18, 2012
作者:
J
Justin Collins
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'support_strong_parameters2'
Conflicts: test/apps/rails3/app/controllers/other_controller.rb
上级
f3d91abd
1d34049b
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
98 addition
and
8 deletion
+98
-8
lib/brakeman/checks/base_check.rb
lib/brakeman/checks/base_check.rb
+31
-6
lib/brakeman/checks/check_cross_site_scripting.rb
lib/brakeman/checks/check_cross_site_scripting.rb
+1
-1
lib/ruby_parser/bm_sexp.rb
lib/ruby_parser/bm_sexp.rb
+24
-1
test/apps/rails3/app/controllers/other_controller.rb
test/apps/rails3/app/controllers/other_controller.rb
+4
-0
test/apps/rails3/app/models/bill.rb
test/apps/rails3/app/models/bill.rb
+3
-0
test/tests/test_mass_assign_disable.rb
test/tests/test_mass_assign_disable.rb
+26
-0
test/tests/test_rails3.rb
test/tests/test_rails3.rb
+9
-0
未找到文件。
lib/brakeman/checks/base_check.rb
浏览文件 @
bdddc3ee
...
...
@@ -144,7 +144,7 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
# go up the chain of parent classes to see if any have attr_accessible
def
parent_classes_protected?
model
if
model
[
:attr_accessible
]
if
model
[
:attr_accessible
]
or
model
[
:includes
].
include?
:"ActiveModel::ForbiddenAttributesProtection"
true
elsif
parent
=
tracker
.
models
[
model
[
:parent
]]
parent_classes_protected?
parent
...
...
@@ -159,21 +159,28 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
@mass_assign_disabled
=
false
if
version_between?
(
"3.1.0"
,
"
4.0.0
"
)
and
if
version_between?
(
"3.1.0"
,
"
3.9.9
"
)
and
tracker
.
config
[
:rails
]
and
tracker
.
config
[
:rails
][
:active_record
]
and
tracker
.
config
[
:rails
][
:active_record
][
:whitelist_attributes
]
==
Sexp
.
new
(
:true
)
@mass_assign_disabled
=
true
elsif
version_between?
(
"4.0.0"
,
"4.9.9"
)
#May need to revisit dependng on what Rails 4 actually does/has
@mass_assign_disabled
=
true
else
matches
=
tracker
.
check_initializers
(
:"ActiveRecord::Base"
,
:send
)
if
matches
.
empty?
#Check for
# class ActiveRecord::Base
# attr_accessible nil
# end
matches
=
tracker
.
check_initializers
([],
:attr_accessible
)
matches
.
each
do
|
result
|
if
result
[
1
]
==
"ActiveRecord"
and
result
[
2
]
==
:Base
arg
=
result
[
-
1
]
.
first_arg
if
result
.
module
==
"ActiveRecord"
and
result
.
result_class
==
:Base
arg
=
result
.
call
.
first_arg
if
arg
.
nil?
or
node_type?
arg
,
:nil
@mass_assign_disabled
=
true
...
...
@@ -182,9 +189,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
end
end
else
#Check for ActiveRecord::Base.send(:attr_accessible, nil)
matches
.
each
do
|
result
|
if
call?
result
[
-
1
]
call
=
result
[
-
1
]
call
=
result
.
call
if
call?
call
if
call
.
first_arg
==
Sexp
.
new
(
:lit
,
:attr_accessible
)
and
call
.
second_arg
==
Sexp
.
new
(
:nil
)
@mass_assign_disabled
=
true
break
...
...
@@ -194,6 +202,23 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
end
end
#There is a chance someone is using Rails 3.x and the `strong_parameters`
#gem and still using hack above, so this is a separate check for
#including ActiveModel::ForbiddenAttributesProtection in
#ActiveRecord::Base in an initializer.
if
not
@mass_assign_disabled
and
version_between?
(
"3.1.0"
,
"3.9.9"
)
and
tracker
.
config
[
:gems
][
:strong_parameters
]
matches
=
tracker
.
check_initializers
([],
:include
)
matches
.
each
do
|
result
|
call
=
result
.
call
if
call?
call
if
call
.
first_arg
==
Sexp
.
new
(
:colon2
,
Sexp
.
new
(
:const
,
:ActiveModel
),
:ForbiddenAttributesProtection
)
@mass_assign_disabled
=
true
end
end
end
end
@mass_assign_disabled
end
...
...
lib/brakeman/checks/check_cross_site_scripting.rb
浏览文件 @
bdddc3ee
...
...
@@ -60,7 +60,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
json_escape_on
=
false
initializers
=
tracker
.
check_initializers
:ActiveSupport
,
:escape_html_entities_in_json
=
initializers
.
each
{
|
result
|
json_escape_on
=
true
?(
result
[
-
1
]
.
first_arg
)
}
initializers
.
each
{
|
result
|
json_escape_on
=
true
?(
result
.
call
.
first_arg
)
}
if
!
json_escape_on
or
version_between?
"0.0.0"
,
"2.0.99"
@known_dangerous
<<
:
to_json
...
...
lib/ruby_parser/bm_sexp.rb
浏览文件 @
bdddc3ee
...
...
@@ -147,13 +147,15 @@ class Sexp
#s(:call, s(:call, nil, :x, s(:arglist)), :y, s(:arglist, s(:lit, 1)))
# ^- method
def
method
expect
:call
,
:attrasgn
,
:super
,
:zsuper
expect
:call
,
:attrasgn
,
:super
,
:zsuper
,
:result
case
self
.
node_type
when
:call
,
:attrasgn
self
[
2
]
when
:super
,
:zsuper
:super
when
:result
self
.
last
end
end
...
...
@@ -492,6 +494,27 @@ class Sexp
expect
:class
self
[
2
]
end
#Returns the call Sexp in a result returned from FindCall
def
call
expect
:result
self
.
last
end
#Returns the module the call is inside
def
module
expect
:result
self
[
1
]
end
#Return the class the call is inside
def
result_class
expect
:result
self
[
2
]
end
end
#Invalidate hash cache if the Sexp changes
...
...
test/apps/rails3/app/controllers/other_controller.rb
浏览文件 @
bdddc3ee
...
...
@@ -48,4 +48,8 @@ class OtherController < ApplicationController
`
#{
some_command
}
`
system
(
"ls
#{
some_files
}
"
)
end
def
test_mass_assign_with_strong_params
Bill
.
create
(
params
[
:charge
])
end
end
test/apps/rails3/app/models/bill.rb
0 → 100644
浏览文件 @
bdddc3ee
class
Bill
<
ActiveRecord
::
Base
include
ActiveModel
::
ForbiddenAttributesProtection
end
test/tests/test_mass_assign_disable.rb
浏览文件 @
bdddc3ee
...
...
@@ -36,4 +36,30 @@ class MassAssignDisableTest < Test::Unit::TestCase
end
RUBY
end
def
test_strong_parameters_in_initializer
init
=
"config/initializers/mass_assign.rb"
gemfile
=
"Gemfile"
config
=
"config/application.rb"
before_rescan_of
[
init
,
gemfile
,
config
],
"rails3.2"
do
write_file
init
,
<<-
RUBY
class ActiveRecord::Base
include ActiveModel::ForbiddenAttributesProtection
end
RUBY
append
gemfile
,
"gem 'strong_parameters'"
replace
config
,
"config.active_record.whitelist_attributes = true"
,
"config.active_record.whitelist_attributes = false"
end
#We disable whitelist, but add strong_parameters globally, so
#there should be no change.
assert_reindex
:none
assert_changes
assert_fixed
0
assert_new
0
end
end
test/tests/test_rails3.rb
浏览文件 @
bdddc3ee
...
...
@@ -589,6 +589,15 @@ class Rails3Tests < Test::Unit::TestCase
:file
=>
/account\.rb/
end
def
test_mass_assign_with_strong_params
assert_no_warning
:type
=>
:warning
,
:warning_type
=>
"Mass Assignment"
,
:line
=>
53
,
:message
=>
/^Unprotected\ mass\ assignment/
,
:confidence
=>
0
,
:file
=>
/other_controller\.rb/
end
def
test_translate_bug
assert_warning
:type
=>
:warning
,
:warning_type
=>
"Cross Site Scripting"
,
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录