From 40564f18242032a397c9988b723d83419241f820 Mon Sep 17 00:00:00 2001 From: Justin Collins Date: Fri, 29 Mar 2013 22:20:44 -0700 Subject: [PATCH] Don't warn on mass assignment with only/slice fixes #203 --- lib/brakeman/checks/check_mass_assignment.rb | 6 +++++- test/tests/test_rails3.rb | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/lib/brakeman/checks/check_mass_assignment.rb b/lib/brakeman/checks/check_mass_assignment.rb index b0770180..115ceb13 100644 --- a/lib/brakeman/checks/check_mass_assignment.rb +++ b/lib/brakeman/checks/check_mass_assignment.rb @@ -59,7 +59,11 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck if attr_protected and tracker.options[:ignore_attr_protected] return elsif input = include_user_input?(call.arglist) - if not hash? call.first_arg and not attr_protected + first_arg = call.first_arg + + if call? first_arg and (first_arg.method == :slice or first_arg.method == :only) + return + elsif not node_type? first_arg, :hash and not attr_protected confidence = CONFIDENCE[:high] user_input = input.match else diff --git a/test/tests/test_rails3.rb b/test/tests/test_rails3.rb index 329d0469..01a8989c 100644 --- a/test/tests/test_rails3.rb +++ b/test/tests/test_rails3.rb @@ -674,6 +674,24 @@ class Rails3Tests < Test::Unit::TestCase :file => /home_controller\.rb/ end + def test_mass_assignment_with_slice + assert_no_warning :type => :warning, + :warning_type => "Mass Assignment", + :line => 141, + :message => /^Unprotected\ mass\ assignment/, + :confidence => 0, + :file => /home_controller\.rb/ + end + + def test_mass_assignment_with_only + assert_no_warning :type => :warning, + :warning_type => "Mass Assignment", + :line => 142, + :message => /^Unprotected\ mass\ assignment/, + :confidence => 0, + :file => /home_controller\.rb/ + end + def test_translate_bug assert_warning :type => :warning, :warning_type => "Cross Site Scripting", -- GitLab