Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Instances of `params.permit!` not always being caught. #1426

Closed
jsgarvin opened this issue Nov 7, 2019 · 1 comment · Fixed by #1427
Closed

Instances of `params.permit!` not always being caught. #1426

jsgarvin opened this issue Nov 7, 2019 · 1 comment · Fixed by #1427

Comments

@jsgarvin
Copy link

@jsgarvin jsgarvin commented Nov 7, 2019

Background

Brakeman version: 4.6.1
Rails version: 5.1.7
Ruby version: 2.6.3

Issue

What problem are you seeing?

After adding Brakeman to a large legacy app, we discovered a few instances where Brakeman's MassAssignment check is not always catching instances of params.permit!. The following scenarios seem to get missed.

 # The call to .instance_method seems to be what trips Brakeman up here.
SomeService.new(params: params.permit!).instance_method 

# .merge and apparently any other valid method call here also trips up Brakeman.
params.permit!.merge({ some: 'hash' })  
presidentbeef added a commit that referenced this issue Nov 7, 2019
Fixes #1426
@presidentbeef

This comment has been minimized.

Copy link
Owner

@presidentbeef presidentbeef commented Nov 8, 2019

Yep - thank you for reporting!

koetsier added a commit to alphagov/email-alert-api that referenced this issue Nov 27, 2019
Newer versions of Brakeman correctly report #permit! as a security
issue.

presidentbeef/brakeman#1426
koetsier added a commit to alphagov/email-alert-api that referenced this issue Nov 27, 2019
Newer versions of Brakeman correctly report #permit! as a security
issue.

presidentbeef/brakeman#1426
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.