Skip to content

Commit

Permalink
Merge pull request #1464 from presidentbeef/permit_all_parameters
Browse files Browse the repository at this point in the history 
ActionController::Parameters.permit_all_parameters
  • Loading branch information
@presidentbeef
presidentbeef committed Mar 9, 2020
2 parents 806ce12 + fb00160 commit 5dea972
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 1 deletion.
15 changes: 15 additions & 0 deletions lib/brakeman/checks/check_mass_assignment.rb
View file
Expand Up @@ -17,6 +17,7 @@ def initialize(*)
def run_check
check_mass_assignment
check_permit!
check_permit_all_parameters
end

def find_mass_assign_calls
Expand Down Expand Up @@ -193,4 +194,18 @@ def warn_on_permit! result
:message => "Parameters should be whitelisted for mass assignment",
:confidence => confidence
end

def check_permit_all_parameters
tracker.find_call(target: :"ActionController::Parameters", method: :permit_all_parameters=).each do |result|
call = result[:call]

if true? call.first_arg
warn :result => result,
:warning_type => "Mass Assignment",
:warning_code => :mass_assign_permit_all,
:message => "Parameters should be whitelisted for mass assignment",
:confidence => :high
end
end
end
end
1 change: 1 addition & 0 deletions lib/brakeman/warning_codes.rb
View file
Expand Up @@ -113,6 +113,7 @@ module Brakeman::WarningCodes
:force_ssl_disabled => 109,
:unsafe_cookie_serialization => 110,
:reverse_tabnabbing => 111,
:mass_assign_permit_all => 112,
:custom_check => 9090,
}

Expand Down
2 changes: 2 additions & 0 deletions test/apps/rails6/config/initializers/allow_all_parameters.rb
View file
@@ -0,0 +1,2 @@
# Allows all parameters for StrongParameters
ActionController::Parameters.permit_all_parameters = true
15 changes: 14 additions & 1 deletion test/tests/rails6.rb
View file
Expand Up @@ -13,7 +13,7 @@ def expected
:controller => 0,
:model => 0,
:template => 4,
:generic => 12
:generic => 13
}
end

Expand Down Expand Up @@ -237,6 +237,19 @@ def test_mass_assignment_permit_bang_2
:user_input => nil
end

def test_mass_assignment_global_allow_all_parameters
assert_warning :type => :warning,
:warning_code => 112,
:fingerprint => "a02bb53bb433ffd7e52cfd58f9a3fdf20f53d082db36d2e47bf3c0aee32458ae",
:warning_type => "Mass Assignment",
:line => 2,
:message => /^Parameters\ should\ be\ whitelisted\ for\ mas/,
:confidence => 0,
:relative_path => "config/initializers/allow_all_parameters.rb",
:code => s(:attrasgn, s(:colon2, s(:const, :ActionController), :Parameters), :permit_all_parameters=, s(:true)),
:user_input => nil
end

def test_secrets_file_1
assert_warning :type => :warning,
:warning_code => 101,
Expand Down

0 comments on commit 5dea972

Please sign in to comment.