Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

init

  • Loading branch information...
commit f301b7f80818d1a3ebdbbacb6ab834454ce1cf07 0 parents
@mhartl authored
20 MIT-LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2008 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
13 README
@@ -0,0 +1,13 @@
+FindMassAssignment
+==================
+
+Introduction goes here.
+
+
+Example
+=======
+
+Example goes here.
+
+
+Copyright (c) 2008 [name of plugin creator], released under the MIT license
22 Rakefile
@@ -0,0 +1,22 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the find_mass_assignment plugin.'
+Rake::TestTask.new(:test) do |t|
+ t.libs << 'lib'
+ t.pattern = 'test/**/*_test.rb'
+ t.verbose = true
+end
+
+desc 'Generate documentation for the find_mass_assignment plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+ rdoc.rdoc_dir = 'rdoc'
+ rdoc.title = 'FindMassAssignment'
+ rdoc.options << '--line-numbers' << '--inline-source'
+ rdoc.rdoc_files.include('README')
+ rdoc.rdoc_files.include('lib/**/*.rb')
+end
1  init.rb
@@ -0,0 +1 @@
+# Include hook code here
1  install.rb
@@ -0,0 +1 @@
+# Install hook code here
93 lib/find_mass_assignment.rb
@@ -0,0 +1,93 @@
+require 'active_support'
+
+# Find the models that have potential mass assignment problems.
+# The method is to scan the controllers for likely mass assignment,
+# and then find the corresponding models that *don't* have
+# attr_accessible defined. Any time that happens, it's a potential problem.
+
+class String
+
+ @@cache = {}
+
+ # A regex to match likely cases of mass assignment
+ # Examples of matching strings:
+ # "Foo.new( { :bar => 'baz' } )"
+ # "Foo.update_attributes!(params[:foo])"
+ MASS_ASSIGNMENT = /(\w+)\.(new|create|update_attributes|build)!*\(/
+
+ # Return the strings that represent potential mass assignment problems.
+ # The MASS_ASSIGNMENT regex returns, e.g., ['Post', 'new'] because of
+ # the grouping methods; we want the first of the two for each match.
+ # For example, the call to scan might return
+ # [['Post', 'new'], ['Person', 'create']]
+ # We then select the first element of each subarray, returning
+ # ['Post', 'Person']
+ def mass_assignment_models
+ scan(MASS_ASSIGNMENT).map { |problem| problem.first.classify }
+ end
+
+ # Return true if the string has potential mass assignment code.
+ def mass_assignment?
+ self =~ MASS_ASSIGNMENT
+ end
+
+ # Return true if the model defines attr_accessible.
+ # Note that 'attr_accessible' must be preceded by nothing other than
+ # whitespace; this catches cases where attr_accessible is commented out.
+ def attr_accessible?
+ model = "#{RAILS_ROOT}/app/models/#{self.classify}.rb"
+ if File.exist?(model)
+ return @@cache[model] unless @@cache[model].nil?
+ @@cache[model] = File.open(model).read =~ /^\s*attr_accessible/
+ else
+ # If the model file doesn't exist, ignore it by returning true.
+ # This way, problem? is false and the item won't be flagged.
+ true
+ end
+ end
+
+ def problem?
+ not attr_accessible?
+ end
+
+ # Return true if a line has a problem model (no attr_accessible).
+ def problem_model?
+ mass_assignment_models.find { |model| model.problem? }
+ end
+
+ # Return true if a controller string has a (likely) mass assignment problem.
+ # This is true if at least one of the controller's lines
+ # (1) Has a likely mass assignment
+ # (2) The corresponding model doesn't define attr_accessible
+ def mass_assignment_problem?
+ File.open(self).find { |l| l.mass_assignment? and l.problem_model? }
+ end
+end
+
+module MassAssignment
+
+ def self.problem_models(line)
+ line.mass_assignment_models.select { |model| model.problem? }
+ end
+
+ def self.print_mass_assignment_problems(controller)
+ lines = File.open(controller)
+ lines.each_with_index do |line, number|
+ if line.mass_assignment? and line.problem_model?
+ puts " #{number} #{line}"
+ end
+ end
+ end
+
+ def self.find
+ controllers = Dir.glob("#{RAILS_ROOT}/app/controllers/*_controller.rb")
+ controllers.each do |controller|
+ if controller.mass_assignment_problem?
+ puts "\n#{controller}"
+ print_mass_assignment_problems(controller)
+ end
+ end
+ end
+end
+
+
5 tasks/find_mass_assignment_tasks.rake
@@ -0,0 +1,5 @@
+desc "Find potential mass assignment vulnerabilities"
+task :find_mass_assignment do
+ require File.join(File.dirname(__FILE__), "../lib/find_mass_assignment.rb")
+ MassAssignment.find
+end
1  uninstall.rb
@@ -0,0 +1 @@
+# Uninstall hook code here
Please sign in to comment.
Something went wrong with that request. Please try again.