Tuesday, June 18, 2019

Breakman Rails: How to avoid Mass Assignment Warning

Breakman is static analysis security scanner for Ruby on Rails. It's open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

I will share some trick to avoid Breakman Mass Assignment medium settings warning.
  1. Pay attention to your model relationship. My suggestion always use Nested Attributes .
  2. If necessary used attr_protected to relationship variable key in your model.
Below is some of example case I've solved:
  • Example Case 1 "Without Relationship" :
         Set relationship variable in attr_protected to avoid Breakman warning.
      attr_accessible :name, :description
      attr_protected : user_id
         Do this saving method:
            create :
         data_list = {:name => name, :description => description}
        saving_create = self.new(data_list)
        saving_create.user_id = user_id
        saving_create.save
             update :
        data_list = {:name => name, :description => description}
        user_data = self.find_by_id(1)
        user_data.attributes = data_list 
        user_data.user_id = user_id
        user_data.save

  • Example Case 2 "With Relationship" :
      attr_accessible :name, :description
      attr_protected : user_id

      has_one :category
      has_many :products

      accepted_nested_attributes :category, :products

            create :
        products = []
        data_list = {:name => name, :description => description}
        saving_create = self.new(data_list)
        saving_create.user_id = user_id
        all_data.each do |d|
          saving_process = saving_create.products.build
          saving_process.product_id = d[:product_id] 
          saving_process.product_name = d[:product_name]
        end
        saving_create.save
      update :
        products.each do |p|
        data_list = {:name => p.name, :description => p.description}
         update_process = self.find_by_id(p.user_id)
         update_process.attributes = data_list
         update_process.product_id = p.id
         update_process.product_name = p.id
         unless update_process.save
            raise ActiveRecord::Rollback 

         end
        end
      

Share:

0 comments:

Post a Comment