Merge pull request #491 from phene/fix-rails4-mass-assignment-detection

Fixed treatment of protected_attributes gem for Rails 4

Merge pull request #491 from phene/fix-rails4-mass-assignment-detection
Fixed treatment of protected_attributes gem for Rails 4
97aea76d · Justin · 6f11f825 · 200f2fa7 · 97aea76d · 97aea76d
3 changed file
--- a/lib/brakeman/checks/base_check.rb
+++ b/lib/brakeman/checks/base_check.rb
@@ -12,10 +12,10 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
  CONFIDENCE = { :high => 0, :med => 1, :low => 2 }

  Match = Struct.new(:type, :match)
-  
+
  class << self
    attr_accessor :name
-  
+
    def inherited(subclass)
      subclass.name = subclass.to_s.match(/^Brakeman::(.*)$/)[1]
    end
@@ -177,8 +177,9 @@ class Brakeman::BaseCheck < Brakeman::SexpProcessor
      tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)

      @mass_assign_disabled = true
-    elsif version_between?("4.0.0", "4.9.9") and not tracker.config[:gems][:protected_attributes]
-      #May need to revisit dependng on what Rails 4 actually does/has
+    elsif version_between?("4.0.0", "4.9.9") && (!tracker.config[:gems][:protected_attributes] || (tracker.config[:rails][:active_record] &&
+            tracker.config[:rails][:active_record][:whitelist_attributes] == Sexp.new(:true)))
+
      @mass_assign_disabled = true
    else
      #Check for ActiveRecord::Base.send(:attr_accessible, nil)

--- a/test/apps/rails4_with_engines/config/environments/production.rb
+++ b/test/apps/rails4_with_engines/config/environments/production.rb
@@ -72,6 +72,12 @@ Rails4::Application.configure do
  # Send deprecation notices to registered listeners.
  config.active_support.deprecation = :notify

+  # Enforce whitelist mode for mass assignment. (now used by protected_attributes gem)
+  # This will create an empty whitelist of attributes available for mass-assignment for all models
+  # in your app. As such, your models will need to explicitly whitelist or blacklist accessible
+  # parameters by using an attr_accessible or attr_protected declaration.
+  config.active_record.whitelist_attributes = false
+
  # Disable automatic flushing of the log to improve performance.
  # config.autoflush_log = false


--- a/test/tests/mass_assign_disable.rb
+++ b/test/tests/mass_assign_disable.rb
@@ -63,7 +63,7 @@ class MassAssignDisableTest < Test::Unit::TestCase
    assert_new 0
  end

-  def test_protected_attributes_gem
+  def test_protected_attributes_gem_without_whitelist_attributes
    before_rescan_of "Gemfile", "rails4_with_engines" do
      append "Gemfile", "gem 'protected_attributes'"
    end
@@ -74,6 +74,22 @@ class MassAssignDisableTest < Test::Unit::TestCase
    assert_new 1
  end

+  def test_protected_attributes_gem_with_whitelist_attributes
+    config = "config/environments/production.rb"
+
+    before_rescan_of ["Gemfile", config], "rails4_with_engines" do
+      append "Gemfile", "gem 'protected_attributes'"
+
+      replace config, "config.active_record.whitelist_attributes = false",
+        "config.active_record.whitelist_attributes = true"
+    end
+
+    assert_reindex :none
+    assert_changes
+    assert_fixed 0
+    assert_new 0
+  end
+
  def test_strong_parameters_with_send
    init = "config/initializers/mass_assign.rb"
    gemfile = "Gemfile"