Class: Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel

Inherits:
Object
  • Object
show all
Includes:
PatternMatchCheck
Defined in:
lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb

Constant Summary

Constants included from PatternMatchCheck

PatternMatchCheck::EXCLUSION_LIST

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary

Attributes included from PatternMatchCheck

#attack_pattern, #attack_pattern_is_regex, #avoid_comments, #negative_search, #root_dir

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from PatternMatchCheck

#must_exclude?, #vuln?

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Constructor Details

#initializeMassAssignmentInModel

Returns a new instance of MassAssignmentInModel.


9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# File 'lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb', line 9

def initialize
  message = "Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed."

  super({
    :name=>"Owasp Ror CheatSheet: Mass Assignement in model",
    :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
    :applies=>["rails"],
    :glob=>"**/model/*.rb",
    :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
    :message=>message,
    :attack_pattern => ["attr_accessor"],
    :negative_search=>false,
    :avoid_comments=>true,
    :check_family=>:owasp_ror_cheatsheet,
    :severity=>:info,
    :evidences=>["In one or more of your models, you use attr_accessor attribute modifier. This is risky since it exposes you to a massive assignment vulnerability. You have to carefully handle how your model receive data by setting all attribute to attr_reader and using a setter method validating input before saving to database."],
    :mitigation=>"Avoid attr_accessor attribute modifier in your models. You must use attr_reader as modifier and carefully filter your inputs before passing to the database layer."
  })
  # @debug = true
end