Unprotected mass assignment Open
@item = Item.new(item_params)- Read upRead up
- Exclude checks
Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
Example:
User.new(params[:user])Unfortunately, if there is a user field called admin which controls administrator access, now any user can make themselves an administrator.
attr_accessible and attr_protected can be used to limit mass assignment. However, Brakeman will warn unless attr_accessible is used, or mass assignment is completely disabled.
There are two different mass assignment warnings which can arise. The first is when mass assignment actually occurs, such as the example above. This results in a warning like
Unprotected mass assignment near line 61: User.new(params[:user])The other warning is raised whenever a model is found which does not use attr_accessible. This produces generic warnings like
Mass assignment is not restricted using attr_accessiblewith a list of affected models.
In Rails 3.1 and newer, mass assignment can easily be disabled:
config.active_record.whitelist_attributes = trueUnfortunately, it can also easily be bypassed:
User.new(params[:user], :without_protection => true)Brakeman will warn on uses of without_protection.
Possible unprotected redirect Open
redirect_to @item, only_path: true- Read upRead up
- Exclude checks
Unvalidated redirects and forwards are #10 on the OWASP Top Ten.
Redirects which rely on user-supplied values can be used to "spoof" websites or hide malicious links in otherwise harmless-looking URLs. They can also allow access to restricted areas of a site if the destination is not validated.
Brakeman will raise warnings whenever redirect_to appears to be used with a user-supplied value that may allow them to change the :host option.
For example,
redirect_to params.merge(:action => :home)will create a warning like
Possible unprotected redirect near line 46: redirect_to(params)This is because params could contain :host => 'evilsite.com' which would redirect away from your site and to a malicious site.
If the first argument to redirect_to is a hash, then adding :only_path => true will limit the redirect to the current host. Another option is to specify the host explicitly.
redirect_to params.merge(:only_path => true)
redirect_to params.merge(:host => 'myhost.com')If the first argument is a string, then it is possible to parse the string and extract the path:
redirect_to URI.parse(some_url).pathIf the URL does not contain a protocol (e.g., http://), then you will probably get unexpected results, as redirect_to will prepend the current host name and a protocol.
Use %i or %I for an array of symbols. Open
before_action :authorize_item, only: [:new, :edit, :create, :update, :import, :destroy, :show]- Read upRead up
- Exclude checks
This cop can check for array literals made up of symbols that are not using the %i() syntax.
Alternatively, it checks for symbol arrays using the %i() syntax on projects which do not want to use that syntax.
Configuration option: MinSize
If set, arrays with fewer elements than this value will not trigger the
cop. For example, a MinSize of3` will not enforce a style on an array
of 2 or fewer elements.
Example: EnforcedStyle: percent (default)
# good
%i[foo bar baz]
# bad
[:foo, :bar, :baz]Example: EnforcedStyle: brackets
# good
[:foo, :bar, :baz]
# bad
%i[foo bar baz]Avoid rescuing without specifying an error class. Open
rescue => e- Read upRead up
- Exclude checks
This cop checks for rescuing StandardError. There are two supported
styles implicit and explicit. This cop will not register an offense
if any error other than StandardError is specified.
Example: EnforcedStyle: implicit
# `implicit` will enforce using `rescue` instead of
# `rescue StandardError`.
# bad
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
endExample: EnforcedStyle: explicit (default)
# `explicit` will enforce using `rescue StandardError`
# instead of `rescue`.
# bad
begin
foo
rescue
bar
end
# good
begin
foo
rescue StandardError
bar
end
# good
begin
foo
rescue OtherError
bar
end
# good
begin
foo
rescue StandardError, SecurityError
bar
endUse %i or %I for an array of symbols. Open
before_action :edit_discogs_param, only: [:index, :create, :update]- Read upRead up
- Exclude checks
This cop can check for array literals made up of symbols that are not using the %i() syntax.
Alternatively, it checks for symbol arrays using the %i() syntax on projects which do not want to use that syntax.
Configuration option: MinSize
If set, arrays with fewer elements than this value will not trigger the
cop. For example, a MinSize of3` will not enforce a style on an array
of 2 or fewer elements.
Example: EnforcedStyle: percent (default)
# good
%i[foo bar baz]
# bad
[:foo, :bar, :baz]Example: EnforcedStyle: brackets
# good
[:foo, :bar, :baz]
# bad
%i[foo bar baz]Extra empty line detected before the rescue. Open
rescue => e- Read upRead up
- Exclude checks
This cops checks if empty lines exist around the bodies of begin
sections. This cop doesn't check empty lines at begin body
beginning/end and around method definition body.
Style/EmptyLinesAroundBeginBody or Style/EmptyLinesAroundMethodBody
can be used for this purpose.
Example:
# good
begin
do_something
rescue
do_something2
else
do_something3
ensure
do_something4
end
# good
def foo
do_something
rescue
do_something2
end
# bad
begin
do_something
rescue
do_something2
else
do_something3
ensure
do_something4
end
# bad
def foo
do_something
rescue
do_something2
end