Rails mass assignment

Description

Manual confirmation is required for this alert.

This script is possibly vulnerable to Rails Mass Assignment vulnerability.

@user = User.new(params[:user])
In the above line of code mass assignment is used to populate a newly created User from the params hash (user submitted data). If no precautions are taken an attacker can pass in their own parameters and set any user attributes. Consider an application that has a users table containing an admin column. When creating a new account an attacker can pass in the parameter user[admin] set to 1 and make themselves an admin. The security implications of mass assignment have been documented since Rails's inception and yet many applications are still vulnerable.

Remediation

To avoid this, Rails provides two class methods in your Active Record class to control access to your attributes. The attr_protected method takes a list of attributes that will not be accessible for mass-assignment .A much better way, because it follows the whitelist-principle, is the attr_accessible method. It is the exact opposite of attr_protected, because it takes a list of attributes that will be accessible. All other attributes will be protected. This way you won't forget to protect attributes when adding new ones in the course of development. Here is an example:

attr_accessible :name
attr_accessible :name, :is_admin, :as => :admin

References
Severity
Classification
Tags
  • Abuse Of Functionality  Known Vulnerabilities