Skip to content

B
Brakeman

李少辉-开发者 / Brakeman

通知 1
Star 0
Fork 0
B
Brakeman

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 684a4190 编写于 作者: J Justin Collins
浏览文件
操作

Merge branch 'attr_accessible_fixes' 

Conflicts:
	lib/brakeman/checks/check_model_attr_accessible.rb
上级 6a0218cd 949b5104
隐藏空白更改
内联 并排
Showing with 32 addition and 26 deletion
lib/brakeman/checks/check_model_attr_accessible.rb
浏览文件 @ 684a4190
require 'brakeman/checks/base_check' require 'brakeman/checks/base_check'
# Author: Paul Deardorff (themetric) # Author: Paul Deardorff (themetric)
# Checks models to see if important foreign keys # Checks models to see if important foreign keys
# or attributes are exposed as attr_accessible when # or attributes are exposed as attr_accessible when
# they probably shouldn't be. # they probably shouldn't be.
class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
Brakeman::Checks.add self Brakeman::Checks.add self
@description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist." @description = "Reports models which have dangerous attributes defined under the attr_accessible whitelist."
SUSP_ATTRS = { SUSP_ATTRS = [
/admin/ => CONFIDENCE[:high], # Very dangerous unless some Rails authorization used [/admin/, CONFIDENCE[:high]], # Very dangerous unless some Rails authorization used
/role/ => CONFIDENCE[:med], [/role/, CONFIDENCE[:med]],
/banned/ => CONFIDENCE[:med], [/banned/, CONFIDENCE[:med]],
:account_id => CONFIDENCE[:high], [:account_id, CONFIDENCE[:high]],
/\S*_id(s?)\z/ => CONFIDENCE[:low] # All other foreign keys have weak/low confidence [/\S*_id(s?)\z/, CONFIDENCE[:low]] # All other foreign keys have weak/low confidence
} ]
def run_check def run_check
check_models do |name, model| check_models do |name, model|
...@@ -24,17 +24,17 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck ...@@ -24,17 +24,17 @@ class Brakeman::CheckModelAttrAccessible < Brakeman::BaseCheck
next if role_limited? model, attribute next if role_limited? model, attribute
SUSP_ATTRS.each do |susp_attr, confidence| SUSP_ATTRS.each do |susp_attr, confidence|
if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute if susp_attr.is_a?(Regexp) and susp_attr =~ attribute.to_s or susp_attr == attribute
warn :model => name, warn :model => name,
:file => model[:file], :file => model[:file],
:warning_type => "Mass Assignment", :warning_type => "Mass Assignment",
:warning_code => :mass_assign_call, :warning_code => :dangerous_attr_accessible,
:message => "Potentially dangerous attribute #{attribute} available for mass assignment.", :message => "Potentially dangerous attribute #{attribute} available for mass assignment.",
:confidence => confidence :confidence => confidence
break # Prevent from matching single attr multiple times break # Prevent from matching single attr multiple times
end end
end end
end end
end end
end end
......
lib/brakeman/warning_codes.rb
浏览文件 @ 684a4190
...@@ -59,7 +59,8 @@ module Brakeman::WarningCodes ...@@ -59,7 +59,8 @@ module Brakeman::WarningCodes
:CVE_2013_1855 => 56, :CVE_2013_1855 => 56,
:CVE_2013_1856 => 57, :CVE_2013_1856 => 57,
:CVE_2013_1857 => 58, :CVE_2013_1857 => 58,
:unsafe_symbol_creation => 59 :unsafe_symbol_creation => 59,
:dangerous_attr_accessible => 60
} }
def self.code name def self.code name
......
test/tests/rails32.rb
浏览文件 @ 684a4190
...@@ -215,6 +215,7 @@ class Rails32Tests < Test::Unit::TestCase ...@@ -215,6 +215,7 @@ class Rails32Tests < Test::Unit::TestCase
def test_model_attr_accessible_admin def test_model_attr_accessible_admin
assert_warning :type => :model, assert_warning :type => :model,
:warning_code => 60,
:warning_type => "Mass Assignment", :warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ admin/, :message => /^Potentially\ dangerous\ attribute\ admin/,
:confidence => 0, #HIGH :confidence => 0, #HIGH
...@@ -223,14 +224,17 @@ class Rails32Tests < Test::Unit::TestCase ...@@ -223,14 +224,17 @@ class Rails32Tests < Test::Unit::TestCase
def test_model_attr_accessible_account_id def test_model_attr_accessible_account_id
assert_warning :type => :model, assert_warning :type => :model,
:warning_code => 60,
:fingerprint => "1d6615676c39afae6d749891e45d7351423542b3fe71a6eaf088bf7573e5c4b0",
:warning_type => "Mass Assignment", :warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ account_id/, :message => /^Potentially\ dangerous\ attribute\ account_/,
:confidence => 0, :confidence => 0,
:file => /user\.rb/ :relative_path => "app/models/user.rb"
end end
def test_model_attr_accessible_account_banned def test_model_attr_accessible_account_banned
assert_warning :type => :model, assert_warning :type => :model,
:warning_code => 60,
:warning_type => "Mass Assignment", :warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ banned/, :message => /^Potentially\ dangerous\ attribute\ banned/,
:confidence => 1, #MED :confidence => 1, #MED
...@@ -239,6 +243,7 @@ class Rails32Tests < Test::Unit::TestCase ...@@ -239,6 +243,7 @@ class Rails32Tests < Test::Unit::TestCase
def test_model_attr_accessible_status_id def test_model_attr_accessible_status_id
assert_warning :type => :model, assert_warning :type => :model,
:warning_code => 60,
:warning_type => "Mass Assignment", :warning_type => "Mass Assignment",
:message => /^Potentially\ dangerous\ attribute\ status_id/, :message => /^Potentially\ dangerous\ attribute\ status_id/,
:confidence => 2, #LOW :confidence => 2, #LOW
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册