New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False-Positive Mass Assignment warning #372
Comments
Yes any kind of role-based authorization to protect these attributes would be secure. Brakeman will throw a false positive many times because we haven't yet checked to see if attributes like this one are purposely exposed and then protected through authorization. This is difficult to detect with a static scanner due to the many different ways to authorize certain actions. CanCan for example does authorization very well and the latest 2.0 version supports protecting resource attributes based on conditions like a user's role. |
Seems like this is easily fixed by checking for a hash argument with I'm more surprised that this class would be treated like a model. Is this the actual class that generated the warning? Edit: nevermind, any class in |
Also, a Mongoid::Document is a model, so treating it as model is correct behaviour as far as I'm concerned. |
In our app we have different scopes for different mass assignment. In our admin part we can just assign almost everything. However, brakeman seems to disapprove. Is this intentional? And if so, what would be a better way to do this? Because to me this seems quite secure:
The text was updated successfully, but these errors were encountered: