False positive: Mass assignment when using a filtered hash #203

brynary · 2012-12-11T03:05:15Z

You all asked for false positive reports so here we go. :wink: Here's a Mass Assignment false positive I found today:

Bill.find(params[:id]).update_attributes(bill_params.only("content", "amount_cents"))

In this case, the developer is using Hash#only to filter params (even though strong_parameters is not in use in this repo).

On the plus side, this was flagged as "Weak" confidence.

The text was updated successfully, but these errors were encountered:

presidentbeef · 2012-12-11T03:52:12Z

My guess is Brakeman doesn't know what bill_params is, and is warning because the code is doing a mass assignment, period. Otherwise, you would be getting a high confidence warning and probably be more disappointed. I suppose Brakeman could check for only or slice, since those signal intent.

brynary · 2012-12-11T04:00:36Z

Yeah, agreed checking for only or slice would be the way to improve this. I'm not quite sure it's worth it in the wake of strong_parameters, but wanted to report nonetheless.

presidentbeef · 2012-12-11T04:19:47Z

I appreciate it!

presidentbeef mentioned this issue Mar 30, 2013

Don't warn on mass assignment with only/slice #303

Merged

presidentbeef closed this as completed in 40564f1 Apr 1, 2013

Repository owner locked and limited conversation to collaborators Feb 16, 2016

False positive: Mass assignment when using a filtered hash #203

False positive: Mass assignment when using a filtered hash #203

brynary commented Dec 11, 2012

presidentbeef commented Dec 11, 2012

brynary commented Dec 11, 2012

presidentbeef commented Dec 11, 2012

False positive: Mass assignment when using a filtered hash #203

False positive: Mass assignment when using a filtered hash #203

Comments

brynary commented Dec 11, 2012

presidentbeef commented Dec 11, 2012

brynary commented Dec 11, 2012

presidentbeef commented Dec 11, 2012