Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Protected_attributes allows all params and brakeman doesn't recognise the mass assignment concern #475
Using the "protected_attributes" gem on a Rails 4 app, from what I can gather makes permit_all_attributes=true but brakeman doesn't recognise this and doesn't detect the mass assignment security concern.
So if whitelisting is off, protected_attributes gem is in the Gemfile and no attr_accessible are defined then params[:foo] can be mass assigned to the Model and Brakeman thinks that the permitted? will be tested because of Rails 4 but it isn't.