Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
e146efba
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
e146efba
编写于
12月 20, 2013
作者:
C
Case Taintor
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
changes attr_accessible warnings to set @code to the attribute & updates tests
上级
47110f55
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
25 addition
and
26 deletion
+25
-26
lib/brakeman/checks/check_model_attr_accessible.rb
lib/brakeman/checks/check_model_attr_accessible.rb
+2
-2
lib/brakeman/warning.rb
lib/brakeman/warning.rb
+0
-1
test/tests/rails3.rb
test/tests/rails3.rb
+1
-1
test/tests/rails31.rb
test/tests/rails31.rb
+2
-2
test/tests/rails32.rb
test/tests/rails32.rb
+10
-10
test/tests/rails4_with_engines.rb
test/tests/rails4_with_engines.rb
+10
-10
未找到文件。
lib/brakeman/checks/check_model_attr_accessible.rb
浏览文件 @
e146efba
...
...
@@ -29,9 +29,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
:file
=>
model
[
:file
],
:warning_type
=>
"Mass Assignment"
,
:warning_code
=>
:dangerous_attr_accessible
,
:message
=>
"Potentially dangerous attribute
'
#{
attribute
}
'
available for mass assignment"
,
:message
=>
"Potentially dangerous attribute available for mass assignment"
,
:confidence
=>
confidence
,
:
method
=>
attribute
:
code
=>
Sexp
.
new
(
:lit
,
attribute
)
break
# Prevent from matching single attr multiple times
end
end
...
...
lib/brakeman/warning.rb
浏览文件 @
e146efba
...
...
@@ -175,7 +175,6 @@ class Brakeman::Warning
location
=
{
:type
=>
:template
,
:template
=>
self
.
view_name
}
when
:model
location
=
{
:type
=>
:model
,
:model
=>
self
.
model
}
location
.
merge!
(
:method
=>
self
.
method
)
if
self
.
method
when
:controller
location
=
{
:type
=>
:controller
,
:controller
=>
self
.
controller
}
when
:warning
...
...
test/tests/rails3.rb
浏览文件 @
e146efba
...
...
@@ -1037,7 +1037,7 @@ class Rails3Tests < Test::Unit::TestCase
def
test_remote_code_execution_CVE_2013_0277_unprotected
assert_warning
:type
=>
:model
,
:fingerprint
=>
"
02022e54bf2419c752eba5d02b724bd288f96041ad8a7c9dbf3dc69bbfa385a9
"
,
:fingerprint
=>
"
b85602475eb048cfe7941b5952c3d5a09a7d9d0607f81fbf2b7578d1055fec90
"
,
:warning_type
=>
"Remote Code Execution"
,
:message
=>
/^Serialized\ attributes\ are\ vulnerable\ in\ /
,
:confidence
=>
0
,
...
...
test/tests/rails31.rb
浏览文件 @
e146efba
...
...
@@ -1075,7 +1075,7 @@ class Rails31Tests < Test::Unit::TestCase
:warning_code
=>
17
,
:fingerprint
=>
"77c353ad8e5fc9880775ed436bbfa37b005b43aa2978186de92b6916f46fac39"
,
:warning_type
=>
"Mass Assignment"
,
:message
=>
/^Potentially\ dangerous\ attribute\ admin\ av/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :admin"
,
:confidence
=>
0
,
:relative_path
=>
"app/models/user.rb"
end
...
...
@@ -1085,7 +1085,7 @@ class Rails31Tests < Test::Unit::TestCase
:warning_code
=>
60
,
:fingerprint
=>
"e933f99c33bece852891a466b5b0fc629d9f20ba80ff3bbc42adfd239d5a5b48"
,
:warning_type
=>
"Mass Assignment"
,
:message
=>
/^Potentially\ dangerous\ attribute\ 'blah_admin/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :blah_admin_blah"
,
:confidence
=>
0
,
:relative_path
=>
"app/models/account.rb"
end
...
...
test/tests/rails32.rb
浏览文件 @
e146efba
...
...
@@ -252,43 +252,43 @@ class Rails32Tests < Test::Unit::TestCase
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:warning_type
=>
"Mass Assignment"
,
:message
=>
/^Potentially\ dangerous\ attribute\ 'admin'/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :admin"
,
:confidence
=>
0
,
#HIGH
:file
=>
/user\.rb/
end
end
def
test_model_attr_accessible_account_id
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:fingerprint
=>
"
30b226f608916087d7e53c6e5bf39f1cb5fdaed268aa12629e7fe34844f04fb3
"
,
:fingerprint
=>
"
add78ac0c12cea9335ad3128f17fd0ff8b0f3772daca1d0d109f9dc02ea2df59
"
,
:warning_type
=>
"Mass Assignment"
,
:message
=>
/^Potentially\ dangerous\ attribute\ 'account_id'/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :account_id"
,
:confidence
=>
0
,
:relative_path
=>
"app/models/user.rb"
end
end
def
test_model_attr_accessible_account_banned
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:warning_type
=>
"Mass Assignment"
,
:message
=>
/^Potentially\ dangerous\ attribute\ 'banned'/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :banned"
,
:confidence
=>
1
,
#MED
:file
=>
/account\.rb/
end
end
def
test_model_attr_accessible_status_id
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:warning_type
=>
"Mass Assignment"
,
:message
=>
/^Potentially\ dangerous\ attribute\ 'status_id'/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :status_id"
,
:confidence
=>
2
,
#LOW
:file
=>
/user\.rb/
end
end
def
test_model_attr_accessible_plan_id
assert_warning
:type
=>
:model
,
:warning_type
=>
"Mass Assignment"
,
:message
=>
/^Potentially\ dangerous\ attribute\ 'plan_id'/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :plan_id"
,
:confidence
=>
2
,
:file
=>
/account\.rb/
end
...
...
test/tests/rails4_with_engines.rb
浏览文件 @
e146efba
...
...
@@ -198,10 +198,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def
test_mass_assignment_12
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:fingerprint
=>
"
6eab87f7d7a130b4762ba10184614f9f8780e95625857b11e42505ee4a82d04f
"
,
:fingerprint
=>
"
dbb51200329e5eadf073c7145497d0b18e33d903248426b6e8b97ec5d03ec23a
"
,
:warning_type
=>
"Mass Assignment"
,
#noline,
:message
=>
/^Potentially\ dangerous\ attribute\ 'plan_id/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :plan_id"
,
:confidence
=>
2
,
:relative_path
=>
"engines/user_removal/app/models/account.rb"
end
...
...
@@ -209,10 +209,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def
test_mass_assignment_13
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:fingerprint
=>
"
9e552d6eac8dc68eb6e3a41cb838756802bcee812ab264e3d089d385566c4df0
"
,
:fingerprint
=>
"
c505002e3567c74c8197586751d0cf9ab245aee0068f05c93589959b14dc40c8
"
,
:warning_type
=>
"Mass Assignment"
,
#noline,
:message
=>
/^Potentially\ dangerous\ attribute\ 'banned'/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :banned"
,
:confidence
=>
1
,
:relative_path
=>
"engines/user_removal/app/models/account.rb"
end
...
...
@@ -220,10 +220,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def
test_mass_assignment_14
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:fingerprint
=>
"
fab5f6c9c06598732046931ee76049f31549502dd77b70dcf93562f62e81a3c
0"
,
:fingerprint
=>
"
962a14c66f5f83ece9a22700939111a0b71ed2c925980416f1b664a601e8707
0"
,
:warning_type
=>
"Mass Assignment"
,
#noline,
:message
=>
/^Potentially\ dangerous\ attribute\ 'account/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :account_id"
,
:confidence
=>
0
,
:relative_path
=>
"engines/user_removal/app/models/user.rb"
end
...
...
@@ -231,10 +231,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def
test_mass_assignment_15
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:fingerprint
=>
"
9b1cfaefacee0db06a58f558fb8dd6631fc43684da3c86368f0bfaf5cb6916e0
"
,
:fingerprint
=>
"
fa154c3e50c02c70f4351dd6731085657dfb0b9ed73ee223ad5444b31bc1d31f
"
,
:warning_type
=>
"Mass Assignment"
,
#noline,
:message
=>
/^Potentially\ dangerous\ attribute\ 'admin'\ /
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :admin"
,
:confidence
=>
0
,
:relative_path
=>
"engines/user_removal/app/models/user.rb"
end
...
...
@@ -242,10 +242,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def
test_mass_assignment_16
assert_warning
:type
=>
:model
,
:warning_code
=>
60
,
:fingerprint
=>
"
1668dd521bfcd7e2b387bcd5d636a35da24a7554eb612cc6096dc6bc41bb984f
"
,
:fingerprint
=>
"
98c24601f549d41e0d0367e8bcefc6083263fa175a2978ace0340c6446e57603
"
,
:warning_type
=>
"Mass Assignment"
,
#noline,
:message
=>
/^Potentially\ dangerous\ attribute\ 'status_/
,
:message
=>
"Potentially dangerous attribute available for mass assignment: :status_id"
,
:confidence
=>
2
,
:relative_path
=>
"engines/user_removal/app/models/user.rb"
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录