Add option to consider attr_protected models safe

for mass assignment purposes

Add option to consider attr_protected models safe
for mass assignment purposes
ef3c6e8b · Justin Collins · 68c79117 · ef3c6e8b · ef3c6e8b · ef3c6e8b
3 changed file
--- a/lib/brakeman/checks/check_mass_assignment.rb
+++ b/lib/brakeman/checks/check_mass_assignment.rb
@@ -49,7 +49,9 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck

      attr_protected = (model and model[:options][:attr_protected])

-      if include_user_input? call[3] and not hash? call[3][1] and not attr_protected
+      if attr_protected and tracker.options[:ignore_attr_protected]
+        return
+      elsif include_user_input? call[3] and not hash? call[3][1] and not attr_protected
        confidence = CONFIDENCE[:high]
      else
        confidence = CONFIDENCE[:low]

--- a/lib/brakeman/checks/check_model_attributes.rb
+++ b/lib/brakeman/checks/check_model_attributes.rb
@@ -19,7 +19,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
      check_models do |name, model|
        if model[:options][:attr_protected].nil?
          no_accessible_names << name.to_s
-        else
+        elsif not tracker.options[:ignore_attr_protected]
          protected_names << name.to_s
        end
      end
@@ -46,7 +46,7 @@ class Brakeman::CheckModelAttributes < Brakeman::BaseCheck
            :warning_type => "Attribute Restriction",
            :message => "Mass assignment is not restricted using attr_accessible",
            :confidence => CONFIDENCE[:high]
-        else
+        elsif not tracker.options[:ignore_attr_protected]
          warn :model => name,
            :file => model[:file],
            :line => model[:options][:attr_protected].first.line,

--- a/lib/brakeman/options.rb
+++ b/lib/brakeman/options.rb
@@ -54,10 +54,6 @@ module Brakeman::Options
          options[:assume_all_routes] = true
        end

-        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
-          options[:ignore_model_output] = true
-        end
-
        opts.on "-e", "--escape-html", "Escape HTML by default" do
          options[:escape_html] = true
        end
@@ -67,6 +63,14 @@ module Brakeman::Options
          options[:skip_libs] = true
        end

+        opts.on "--ignore-model-output", "Consider model attributes XSS-safe" do
+          options[:ignore_model_output] = true
+        end
+
+        opts.on "--ignore-protected", "Consider models with attr_protected safe" do
+          options[:ignore_attr_protected] = true
+        end
+
        opts.on "--no-branching", "Disable flow sensitivity on conditionals" do
          options[:ignore_ifs] = true
        end