Reports any calls to validates_format_of which do not use \A and \z as anchors in the given regular expression.
For example:
#Allows anything after new line validates_format_of :user_name, :with => /^\w+$/
Issue warning if the regular expression does not use \A and \z
# File lib/brakeman/checks/check_validation_regex.rb, line 64 def check_regex value, validator return unless regexp? value regex = value.value.inspect unless regex =~ /\A\/\\A.*\\(z|Z)\/(m|i|x|n|e|u|s|o)*\z/ warn :model => @current_model, :warning_type => "Format Validation", :message => "Insufficient validation for '#{get_name validator}' using #{regex}. Use \\A and \\z as anchors", :line => value.line, :confidence => CONFIDENCE[:high] end end
Get the name of the attribute being validated.
# File lib/brakeman/checks/check_validation_regex.rb, line 78 def get_name validator name = validator[1] if sexp? name name.value else name end end
Check validates ..., :format => ...
# File lib/brakeman/checks/check_validation_regex.rb, line 47 def process_validates validator hash_arg = validator.last return unless hash? hash_arg value = hash_access(hash_arg, FORMAT) if hash? value value = hash_access(value, WITH) end if value check_regex value, validator end end
Check validates_format_of
# File lib/brakeman/checks/check_validation_regex.rb, line 40 def process_validates_format_of validator if value = hash_access(validator.last, WITH) check_regex value, validator end end
# File lib/brakeman/checks/check_validation_regex.rb, line 18 def run_check active_record_models.each do |name, model| @current_model = name format_validations = model[:options][:validates_format_of] if format_validations format_validations.each do |v| process_validates_format_of v end end validates = model[:options][:validates] if validates validates.each do |v| process_validates v end end end end
Generated with the Darkfish Rdoc Generator 2.