Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
Brakeman
提交
97aea76d
B
Brakeman
项目概览
李少辉-开发者
/
Brakeman
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
B
Brakeman
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
97aea76d
编写于
5月 09, 2014
作者:
J
Justin
浏览文件
操作
浏览文件
下载
差异文件
Merge pull request #491 from phene/fix-rails4-mass-assignment-detection
Fixed treatment of protected_attributes gem for Rails 4
上级
6f11f825
200f2fa7
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
28 addition
and
5 deletion
+28
-5
lib/brakeman/checks/base_check.rb
lib/brakeman/checks/base_check.rb
+5
-4
test/apps/rails4_with_engines/config/environments/production.rb
...pps/rails4_with_engines/config/environments/production.rb
+6
-0
test/tests/mass_assign_disable.rb
test/tests/mass_assign_disable.rb
+17
-1
未找到文件。
lib/brakeman/checks/base_check.rb
浏览文件 @
97aea76d
...
...
@@ -12,10 +12,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
CONFIDENCE
=
{
:high
=>
0
,
:med
=>
1
,
:low
=>
2
}
Match
=
Struct
.
new
(
:type
,
:match
)
class
<<
self
attr_accessor
:name
def
inherited
(
subclass
)
subclass
.
name
=
subclass
.
to_s
.
match
(
/^Brakeman::(.*)$/
)[
1
]
end
...
...
@@ -177,8 +177,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
tracker
.
config
[
:rails
][
:active_record
][
:whitelist_attributes
]
==
Sexp
.
new
(
:true
)
@mass_assign_disabled
=
true
elsif
version_between?
(
"4.0.0"
,
"4.9.9"
)
and
not
tracker
.
config
[
:gems
][
:protected_attributes
]
#May need to revisit dependng on what Rails 4 actually does/has
elsif
version_between?
(
"4.0.0"
,
"4.9.9"
)
&&
(
!
tracker
.
config
[
:gems
][
:protected_attributes
]
||
(
tracker
.
config
[
:rails
][
:active_record
]
&&
tracker
.
config
[
:rails
][
:active_record
][
:whitelist_attributes
]
==
Sexp
.
new
(
:true
)))
@mass_assign_disabled
=
true
else
#Check for ActiveRecord::Base.send(:attr_accessible, nil)
...
...
test/apps/rails4_with_engines/config/environments/production.rb
浏览文件 @
97aea76d
...
...
@@ -72,6 +72,12 @@ Rails4::Application.configure do
# Send deprecation notices to registered listeners.
config
.
active_support
.
deprecation
=
:notify
# Enforce whitelist mode for mass assignment. (now used by protected_attributes gem)
# This will create an empty whitelist of attributes available for mass-assignment for all models
# in your app. As such, your models will need to explicitly whitelist or blacklist accessible
# parameters by using an attr_accessible or attr_protected declaration.
config
.
active_record
.
whitelist_attributes
=
false
# Disable automatic flushing of the log to improve performance.
# config.autoflush_log = false
...
...
test/tests/mass_assign_disable.rb
浏览文件 @
97aea76d
...
...
@@ -63,7 +63,7 @@ class MassAssignDisableTest < Test::Unit::TestCase
assert_new
0
end
def
test_protected_attributes_gem
def
test_protected_attributes_gem
_without_whitelist_attributes
before_rescan_of
"Gemfile"
,
"rails4_with_engines"
do
append
"Gemfile"
,
"gem 'protected_attributes'"
end
...
...
@@ -74,6 +74,22 @@ class MassAssignDisableTest < Test::Unit::TestCase
assert_new
1
end
def
test_protected_attributes_gem_with_whitelist_attributes
config
=
"config/environments/production.rb"
before_rescan_of
[
"Gemfile"
,
config
],
"rails4_with_engines"
do
append
"Gemfile"
,
"gem 'protected_attributes'"
replace
config
,
"config.active_record.whitelist_attributes = false"
,
"config.active_record.whitelist_attributes = true"
end
assert_reindex
:none
assert_changes
assert_fixed
0
assert_new
0
end
def
test_strong_parameters_with_send
init
=
"config/initializers/mass_assign.rb"
gemfile
=
"Gemfile"
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录