/
check_permit_attributes.rb
43 lines (36 loc) · 1.06 KB
/
check_permit_attributes.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
require 'brakeman/checks/base_check'
class Brakeman::CheckPermitAttributes < Brakeman::BaseCheck
Brakeman::Checks.add self
@description = "Warn on potentially dangerous attributes whitelisted via permit"
SUSPICIOUS_KEYS = {
admin: :high,
account_id: :high,
role: :medium,
banned: :medium,
}
def run_check
tracker.find_call(:method => :permit).each do |result|
check_permit result
end
end
def check_permit result
call = result[:call]
call.each_arg do |arg|
if symbol? arg
if SUSPICIOUS_KEYS.key? arg.value
warn_on_permit_key result, arg
elsif arg.value.match /_id$/
warn_on_permit_key result, arg, :medium
end
end
end
end
def warn_on_permit_key result, key, confidence = nil
warn :result => result,
:warning_type => "Mass Assignment",
:warning_code => :dangerous_permit_key,
:message => "Potentially dangerous key allowed for mass assignment",
:confidence => (confidence || SUSPICIOUS_KEYS[key.value]),
:user_input => key
end
end