mhartl-find_mass_assignment 1.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,31 @@
+# FindMassAssignment
+
+## A Rails plugin to find likely mass assignment vulnerabilities
+
+The <tt>find\_mass\_assignment</tt> Rake task defined by the plugin finds likely mass assignment problems in Rails projects.
+
+The method is to scan the controllers for likely mass assignment, and then find the corresponding models that *don't* have <tt>attr\_accessible</tt> defined.  Any time that happens, it's a potential problem.
+
+Install this plugin as follows:
+
+    $ script/plugin install git://github.com/mhartl/find_mass_assignment.git
+
+
+# Example
+
+Suppose line 17 of the Users controller is
+
+    @user = User.new(params[:user])
+
+but the User model *doesn't* define <tt>attr_accessible</tt>.  Then we get the output
+
+    $ rake find_mass_assignment
+
+    /path/to/app/controllers/users_controller.rb
+      17  @user = User.new(params[:user])
+
+This indicates that the User model has a likely mass assignment vulnerability.
+
+# Copyright
+
+Copyright (c) 2008 Michael Hartl, released under the MIT license

data/Rakefile

@@ -0,0 +1,22 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the find_mass_assignment plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the find_mass_assignment plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'FindMassAssignment'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/find_mass_assignment.gemspec

@@ -0,0 +1,12 @@
+spec = Gem::Specification.new do |s| 
+  s.name = "find_mass_assignment"
+  s.version = "1.0"
+  s.author = "Michael Hartl"
+  s.email = "michael@insoshi.com"
+  s.homepage = "http://insoshi.com/"
+  s.summary = "Find likely mass assignment vulnerabilities"
+  s.files = ["README.markdown", "Rakefile", "find_mass_assignment.gemspec",
+             "lib/find_mass_assignment.rb",
+             "tasks/find_mass_assignment_tasks.rake",
+             "MIT-LICENSE"]
+end

data/lib/find_mass_assignment.rb

@@ -0,0 +1,90 @@
+require 'active_support'  
+
+# Find potential mass assignment problems.
+# The method is to scan the controllers for likely mass assignment,
+# and then find the corresponding models that *don't* have 
+# attr_accessible defined.  Any time that happens, it's a potential problem.
+
+class String
+  
+  @@cache = {}
+  
+  # A regex to match likely cases of mass assignment
+  # Examples of matching strings:
+  #   "Foo.new( { :bar => 'baz' } )"
+  #   "Foo.update_attributes!(params[:foo])"
+  MASS_ASSIGNMENT = /(\w+)\.(new|create|update_attributes|build)!*\(/
+  
+  # Return the strings that represent potential mass assignment problems.
+  # The MASS_ASSIGNMENT regex returns, e.g., ['Post', 'new'] because of
+  # the grouping methods; we want the first of the two for each match.
+  # For example, the call to scan might return
+  #   [['Post', 'new'], ['Person', 'create']]
+  # We then select the first element of each subarray, returning
+  #   ['Post', 'Person']
+  def mass_assignment_models
+    scan(MASS_ASSIGNMENT).map { |problem| problem.first.classify }
+  end
+
+  # Return true if the string has potential mass assignment code.
+  def mass_assignment?
+    self =~ MASS_ASSIGNMENT
+  end
+  
+  # Return true if the model defines attr_accessible.
+  # Note that 'attr_accessible' must be preceded by nothing other than
+  # whitespace; this catches cases where attr_accessible is commented out.
+  def attr_accessible?
+    model = "#{RAILS_ROOT}/app/models/#{self.classify}.rb"
+    if File.exist?(model)
+      return @@cache[model] unless @@cache[model].nil?
+      @@cache[model] = File.open(model).read =~ /^\s*attr_accessible/
+    else
+      # If the model file doesn't exist, ignore it by returning true.
+      # This way, problem? is false and the item won't be flagged.
+      true
+    end
+  end
+  
+  # Returnt true if a model does not define attr_accessible.
+  def problem?
+    not attr_accessible?
+  end
+  
+  # Return true if a line has a problem model (no attr_accessible).
+  def problem_model?
+    mass_assignment_models.find { |model| model.problem? }
+  end
+  
+  # Return true if a controller string has a (likely) mass assignment problem.
+  # This is true if at least one of the controller's lines 
+  #   (1) Has a likely mass assignment
+  #   (2) The corresponding model doesn't define attr_accessible
+  def mass_assignment_problem?
+    File.open(self).find { |l| l.mass_assignment? and l.problem_model? }
+  end
+end
+
+module MassAssignment
+
+  def self.print_mass_assignment_problems(controller)
+    lines = File.open(controller)
+    lines.each_with_index do |line, number|
+      if line.mass_assignment? and line.problem_model?
+        puts "    #{number}  #{line}"
+      end
+    end
+  end
+
+  def self.find
+    controllers = Dir.glob("#{RAILS_ROOT}/app/controllers/*_controller.rb")
+    controllers.each do |controller|
+      if controller.mass_assignment_problem?
+        puts "\n#{controller}"
+        print_mass_assignment_problems(controller)
+      end
+    end
+  end
+end
+
+

data/tasks/find_mass_assignment_tasks.rake

@@ -0,0 +1,5 @@
+desc "Find potential mass assignment vulnerabilities"
+task :find_mass_assignment do
+  require File.join(File.dirname(__FILE__), "../lib/find_mass_assignment.rb")
+  MassAssignment.find
+end

metadata

@@ -0,0 +1,58 @@
+--- !ruby/object:Gem::Specification 
+name: mhartl-find_mass_assignment
+version: !ruby/object:Gem::Version 
+  version: "1.0"
+platform: ruby
+authors: 
+- Michael Hartl
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2008-10-27 00:00:00 -07:00
+default_executable: 
+dependencies: []
+
+description: 
+email: michael@insoshi.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- README.markdown
+- Rakefile
+- find_mass_assignment.gemspec
+- lib/find_mass_assignment.rb
+- tasks/find_mass_assignment_tasks.rake
+- MIT-LICENSE
+has_rdoc: false
+homepage: http://insoshi.com/
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.2.0
+signing_key: 
+specification_version: 2
+summary: Find likely mass assignment vulnerabilities
+test_files: []
+