Class: Simplabs::Excellent::Checks::Rails::AttrProtectedCheck

Inherits:

Base

• Object
• Base
• Simplabs::Excellent::Checks::Rails::AttrProtectedCheck

Defined in:

lib/simplabs/excellent/checks/rails/attr_protected_check.rb

Overview

This check reports ActiveRecord models that specify attr_protected. Like attr_accessible, attr_protected is a helper to secure ActiveRecord models against mass assignment attacks (see guides.rubyonrails.org/security.html#mass-assignment), but instead of specifying a white list of properties that are writeable by mass assignments as attr_accessible does, attr_protected specifies a black list. Such a black list approach is usually less secure since the list has to be updated for every new property that is introduced, which is easy to forget.

Applies to

• ActiveRecord models

Instance Attribute Summary

Attributes inherited from Base

#interesting_files, #interesting_nodes, #warnings

Instance Method Summary

• #evaluate(context) ⇒ Object

  :nodoc:.

• #initialize ⇒ AttrProtectedCheck constructor

  :nodoc:.

Methods inherited from Base

#add_warning, #evaluate_node, #warnings_for

Constructor Details

#initialize ⇒ AttrProtectedCheck

:nodoc:

# File 'lib/simplabs/excellent/checks/rails/attr_protected_check.rb', line 22

def initialize #:nodoc:
  super
  @interesting_nodes = [:class]
end

Instance Method Details

#evaluate(context) ⇒ Object

:nodoc:

# File 'lib/simplabs/excellent/checks/rails/attr_protected_check.rb', line 27

def evaluate(context) #:nodoc:
  add_warning(context, '{{class}} specifies attr_protected.', { :class => context.full_name }) if context.active_record_model? && context.specifies_attr_protected?
end