def run_check
return if mass_assign_disabled?
if tracker.options[:collapse_mass_assignment]
no_accessible_names = []
protected_names = []
check_models do |name, model|
if model.attr_protected.nil?
no_accessible_names << name.to_s
elsif not tracker.options[:ignore_attr_protected]
protected_names << name.to_s
end
end
unless no_accessible_names.empty?
warn :model => no_accessible_names.sort.join(", "),
:warning_type => "Attribute Restriction",
:warning_code => :no_attr_accessible,
:message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
:confidence => :high
end
unless protected_names.empty?
message, confidence, link = check_for_attr_protected_bypass
if link
warning_code = :CVE_2013_0276
else
warning_code = :attr_protected_used
end
warn :model => protected_names.sort.join(", "),
:warning_type => "Attribute Restriction",
:warning_code => warning_code,
:message => message,
:confidence => confidence,
:link => link
end
else
check_models do |name, model|
if model.attr_protected.nil?
warn :model => name,
:file => model.file,
:line => model.top_line,
:warning_type => "Attribute Restriction",
:warning_code => :no_attr_accessible,
:message => msg("Mass assignment is not restricted using ", msg_code("attr_accessible")),
:confidence => :high
elsif not tracker.options[:ignore_attr_protected]
message, confidence, link = check_for_attr_protected_bypass
if link
warning_code = :CVE_2013_0276
else
warning_code = :attr_protected_used
end
warn :model => name,
:file => model.file,
:line => model.attr_protected.first.line,
:warning_type => "Attribute Restriction",
:warning_code => warning_code,
:message => message,
:confidence => confidence
end
end
end
end