Skip to content

B
brakeman

社会瑞弟呀 / brakeman

通知 1
Star 0
Fork 0
B
brakeman

体验新版 GitCode,发现更多精彩内容 >>

提交 87a8b193 编写于 作者: J Justin
浏览文件
操作

Add additional check for global mass assign disable 

that looks like this:

module ActiveRecord
  class Base
    attr_accessible
  end
end

Also, could be wrong, but I think old check was broken?
上级 adcd3d1b
隐藏空白更改
内联 并排
Showing with 19 addition and 3 deletion
lib/brakeman/checks/base_check.rb
浏览文件 @ 87a8b193
......@@ -121,6 +121,8 @@ class Brakeman::BaseCheck < SexpProcessor
#Checks if mass assignment is disabled globally in an initializer.
def mass_assign_disabled?
return @mass_assign_disabled unless @mass_assign_disabled.nil?
@mass_assign_disabled = false
if version_between?("3.1.0", "4.0.0") and
tracker.config[:rails][:active_record] and
......@@ -129,17 +131,31 @@ class Brakeman::BaseCheck < SexpProcessor
@mass_assign_disabled = true
else
matches = tracker.check_initializers(:"ActiveRecord::Base", :send)
if matches.empty?
@mass_assign_disabled = false
matches = tracker.check_initializers([], :attr_accessible)
matches.each do |result|
if result[1] == :ActiveRecord and result[2] == :Base
arg = result[-1][3][1]
if arg.nil? or node_type? arg, :nil
@mass_assign_disabled = true
break
end
end
end
else
matches.each do |result|
if result[3][3] == Sexp.new(:arg_list, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
if result[-1][3] == Sexp.new(:arglist, Sexp.new(:lit, :attr_accessible), Sexp.new(:nil))
@mass_assign_disabled = true
return true
break
end
end
end
end
@mass_assign_disabled
end
#This is to avoid reporting duplicates. Checks if the result has been
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册