Breakman is static analysis security scanner for Ruby on Rails. It's open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
I will share some trick to avoid Breakman Mass Assignment medium settings warning.
I will share some trick to avoid Breakman Mass Assignment medium settings warning.
- Pay attention to your model relationship. My suggestion always use Nested Attributes .
- If necessary used attr_protected to relationship variable key in your model.
Below is some of example case I've solved:
- Example Case 1 "Without Relationship" :
Set relationship variable in attr_protected to avoid Breakman warning.
attr_accessible :name, :description
attr_protected : user_id
Do this saving method:
create :
data_list = {:name => name, :description => description}
saving_create = self.new(data_list)
saving_create.user_id = user_id
saving_create.save
update :
data_list = {:name => name, :description => description}
user_data = self.find_by_id(1)
user_data.attributes = data_list
user_data.user_id = user_id
user_data.save
- Example Case 2 "With Relationship" :
attr_accessible :name, :description
attr_protected : user_id
has_one :category
has_many :products
accepted_nested_attributes :category, :products
create :
products = []
data_list = {:name => name, :description => description}
saving_create = self.new(data_list)
saving_create.user_id = user_id
all_data.each do |d|
saving_process = saving_create.products.build
saving_process.product_id = d[:product_id]
saving_process.product_name = d[:product_name]
end
saving_create.save
update :
products.each do |p|
data_list = {:name => p.name, :description => p.description}
update_process = self.find_by_id(p.user_id)
update_process.attributes = data_list
update_process.product_id = p.id
update_process.product_name = p.id
unless update_process.save
raise ActiveRecord::Rollback
end
end
update :
products.each do |p|
data_list = {:name => p.name, :description => p.description}
update_process = self.find_by_id(p.user_id)
update_process.attributes = data_list
update_process.product_id = p.id
update_process.product_name = p.id
unless update_process.save
raise ActiveRecord::Rollback
end
end