Skip to content

B
Brakeman

李少辉-开发者 / Brakeman

通知 1
Star 0
Fork 0
B
Brakeman

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 e146efba 编写于 作者: C Case Taintor
浏览文件
操作

changes attr_accessible warnings to set @code to the attribute & updates tests

上级 47110f55
隐藏空白更改
内联 并排
Showing with 25 addition and 26 deletion
lib/brakeman/checks/check_model_attr_accessible.rb
浏览文件 @ e146efba
......@@ -29,9 +29,9 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
:file => model[:file],
:warning_type => "Mass Assignment",
:warning_code => :dangerous_attr_accessible,
:message => "Potentially dangerous attribute '#{attribute}' available for mass assignment",
:message => "Potentially dangerous attribute available for mass assignment",
:confidence => confidence,
:method => attribute
:code => Sexp.new(:lit, attribute)
break # Prevent from matching single attr multiple times
end
end
......
lib/brakeman/warning.rb
浏览文件 @ e146efba
......@@ -175,7 +175,6 @@ class Brakeman::Warning
location = { :type => :template, :template => self.view_name }
when :model
location = { :type => :model, :model => self.model }
location.merge!(:method => self.method) if self.method
when :controller
location = { :type => :controller, :controller => self.controller }
when :warning
......
test/tests/rails3.rb
浏览文件 @ e146efba
......@@ -1037,7 +1037,7 @@ class Rails3Tests < Test::Unit::TestCase
def test_remote_code_execution_CVE_2013_0277_unprotected
assert_warning :type => :model,
:fingerprint => "02022e54bf2419c752eba5d02b724bd288f96041ad8a7c9dbf3dc69bbfa385a9",
:fingerprint => "b85602475eb048cfe7941b5952c3d5a09a7d9d0607f81fbf2b7578d1055fec90",
:warning_type => "Remote Code Execution",
:message => /^Serialized\ attributes\ are\ vulnerable\ in\ /,
:confidence => 0,
......
test/tests/rails31.rb
浏览文件 @ e146efba
......@@ -1075,7 +1075,7 @@ class Rails31Tests < Test::Unit::TestCase
:warning_code => 17,
:fingerprint => "77c353ad8e5fc9880775ed436bbfa37b005b43aa2978186de92b6916f46fac39",
:warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ admin\ av/,
:message => "Potentially dangerous attribute available for mass assignment: :admin",
:confidence => 0,
:relative_path => "app/models/user.rb"
end
......@@ -1085,7 +1085,7 @@ class Rails31Tests < Test::Unit::TestCase
:warning_code => 60,
:fingerprint => "e933f99c33bece852891a466b5b0fc629d9f20ba80ff3bbc42adfd239d5a5b48",
:warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ 'blah_admin/,
:message => "Potentially dangerous attribute available for mass assignment: :blah_admin_blah",
:confidence => 0,
:relative_path => "app/models/account.rb"
end
......
test/tests/rails32.rb
浏览文件 @ e146efba
......@@ -252,43 +252,43 @@ class Rails32Tests < Test::Unit::TestCase
assert_warning :type => :model,
:warning_code => 60,
:warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ 'admin'/,
:message => "Potentially dangerous attribute available for mass assignment: :admin",
:confidence => 0, #HIGH
:file => /user\.rb/
end
end
def test_model_attr_accessible_account_id
assert_warning :type => :model,
:warning_code => 60,
:fingerprint => "30b226f608916087d7e53c6e5bf39f1cb5fdaed268aa12629e7fe34844f04fb3",
:fingerprint => "add78ac0c12cea9335ad3128f17fd0ff8b0f3772daca1d0d109f9dc02ea2df59",
:warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ 'account_id'/,
:message => "Potentially dangerous attribute available for mass assignment: :account_id",
:confidence => 0,
:relative_path => "app/models/user.rb"
end
end
def test_model_attr_accessible_account_banned
assert_warning :type => :model,
:warning_code => 60,
:warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ 'banned'/,
:message => "Potentially dangerous attribute available for mass assignment: :banned",
:confidence => 1, #MED
:file => /account\.rb/
end
end
def test_model_attr_accessible_status_id
assert_warning :type => :model,
:warning_code => 60,
:warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ 'status_id'/,
:message => "Potentially dangerous attribute available for mass assignment: :status_id",
:confidence => 2, #LOW
:file => /user\.rb/
end
end
def test_model_attr_accessible_plan_id
assert_warning :type => :model,
:warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ 'plan_id'/,
:message => "Potentially dangerous attribute available for mass assignment: :plan_id",
:confidence => 2,
:file => /account\.rb/
end
......
test/tests/rails4_with_engines.rb
浏览文件 @ e146efba
......@@ -198,10 +198,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def test_mass_assignment_12
assert_warning :type => :model,
:warning_code => 60,
:fingerprint => "6eab87f7d7a130b4762ba10184614f9f8780e95625857b11e42505ee4a82d04f",
:fingerprint => "dbb51200329e5eadf073c7145497d0b18e33d903248426b6e8b97ec5d03ec23a",
:warning_type => "Mass Assignment",
#noline,
:message => /^Potentially\ dangerous\ attribute\ 'plan_id/,
:message => "Potentially dangerous attribute available for mass assignment: :plan_id",
:confidence => 2,
:relative_path => "engines/user_removal/app/models/account.rb"
end
......@@ -209,10 +209,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def test_mass_assignment_13
assert_warning :type => :model,
:warning_code => 60,
:fingerprint => "9e552d6eac8dc68eb6e3a41cb838756802bcee812ab264e3d089d385566c4df0",
:fingerprint => "c505002e3567c74c8197586751d0cf9ab245aee0068f05c93589959b14dc40c8",
:warning_type => "Mass Assignment",
#noline,
:message => /^Potentially\ dangerous\ attribute\ 'banned'/,
:message => "Potentially dangerous attribute available for mass assignment: :banned",
:confidence => 1,
:relative_path => "engines/user_removal/app/models/account.rb"
end
......@@ -220,10 +220,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def test_mass_assignment_14
assert_warning :type => :model,
:warning_code => 60,
:fingerprint => "fab5f6c9c06598732046931ee76049f31549502dd77b70dcf93562f62e81a3c0",
:fingerprint => "962a14c66f5f83ece9a22700939111a0b71ed2c925980416f1b664a601e87070",
:warning_type => "Mass Assignment",
#noline,
:message => /^Potentially\ dangerous\ attribute\ 'account/,
:message => "Potentially dangerous attribute available for mass assignment: :account_id",
:confidence => 0,
:relative_path => "engines/user_removal/app/models/user.rb"
end
......@@ -231,10 +231,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def test_mass_assignment_15
assert_warning :type => :model,
:warning_code => 60,
:fingerprint => "9b1cfaefacee0db06a58f558fb8dd6631fc43684da3c86368f0bfaf5cb6916e0",
:fingerprint => "fa154c3e50c02c70f4351dd6731085657dfb0b9ed73ee223ad5444b31bc1d31f",
:warning_type => "Mass Assignment",
#noline,
:message => /^Potentially\ dangerous\ attribute\ 'admin'\ /,
:message => "Potentially dangerous attribute available for mass assignment: :admin",
:confidence => 0,
:relative_path => "engines/user_removal/app/models/user.rb"
end
......@@ -242,10 +242,10 @@ class Rails4WithEnginesTests < Test::Unit::TestCase
def test_mass_assignment_16
assert_warning :type => :model,
:warning_code => 60,
:fingerprint => "1668dd521bfcd7e2b387bcd5d636a35da24a7554eb612cc6096dc6bc41bb984f",
:fingerprint => "98c24601f549d41e0d0367e8bcefc6083263fa175a2978ace0340c6446e57603",
:warning_type => "Mass Assignment",
#noline,
:message => /^Potentially\ dangerous\ attribute\ 'status_/,
:message => "Potentially dangerous attribute available for mass assignment: :status_id",
:confidence => 2,
:relative_path => "engines/user_removal/app/models/user.rb"
end
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册