# File lib/brakeman/checks/check_model_serialize.rb, line 27
  def check_for_serialize model
    if serialized_attrs = model.options[:serialize]
      attrs = Set.new

      serialized_attrs.each do |arglist|
        arglist.each do |arg|
          attrs << arg if symbol? arg
        end
      end

      if unsafe_attrs = model.attr_accessible
        attrs.delete_if { |attr| not unsafe_attrs.include? attr.value }
      elsif protected_attrs = model.attr_protected
        safe_attrs = Set.new

        protected_attrs.each do |arglist|
          arglist.each do |arg|
            safe_attrs << arg if symbol? arg
          end
        end

        attrs.delete_if { |attr| safe_attrs.include? attr }
      end

      if attrs.empty?
        confidence = :medium
      else
        confidence = :high
      end

      warn :model => model.name,
        :warning_type => "Remote Code Execution",
        :warning_code => :CVE_2013_0277,
        :message => msg("Serialized attributes are vulnerable in ", msg_version(rails_version), ", upgrade to ", msg_version(@upgrade_version), " or patch"),
        :confidence => confidence,
        :link => "https://groups.google.com/d/topic/rubyonrails-security/KtmwSbEpzrU/discussion",
        :file => model.file,
        :line => model.top_line
    end
  end