Description

Manual confirmation is required for this alert.

This script is possibly vulnerable to Rails Mass Assignment vulnerability.

@user = User.new(params[:user])
In the above line of code mass assignment is used to populate a newly created User from the params hash (user submitted data). If no precautions are taken an attacker can pass in their own parameters and set any user attributes. Consider an application that has a users table containing an admin column. When creating a new account an attacker can pass in the parameter user[admin] set to 1 and make themselves an admin. The security implications of mass assignment have been documented since Rails's inception and yet many applications are still vulnerable.

Remediation

To avoid this, Rails provides two class methods in your Active Record class to control access to your attributes. The attr_protected method takes a list of attributes that will not be accessible for mass-assignment .A much better way, because it follows the whitelist-principle, is the attr_accessible method. It is the exact opposite of attr_protected, because it takes a list of attributes that will be accessible. All other attributes will be protected. This way you won't forget to protect attributes when adding new ones in the course of development. Here is an example:

attr_accessible :name
attr_accessible :name, :is_admin, :as => :admin

References

Ruby On Rails Security Guide

Ruby on Rails: Secure Mass Assignment

Related Vulnerabilities

Jenkins Incorrect Authorization Vulnerability (CVE-2020-2104)

PHP Numeric Errors Vulnerability (CVE-2015-4021)

Joomla Incorrect Authorization Vulnerability (CVE-2023-23751)

Oracle Database Server CVE-2006-0285 Vulnerability (CVE-2006-0285)

Liferay Portal Inefficient Regular Expression Complexity Vulnerability (CVE-2023-33950)

Severity

High

Classification

CWE-915 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Known Vulnerabilities