Description

Manual confirmation is required for this alert.

This script is possibly vulnerable to Rails Mass Assignment vulnerability.

@user = User.new(params[:user])
In the above line of code mass assignment is used to populate a newly created User from the params hash (user submitted data). If no precautions are taken an attacker can pass in their own parameters and set any user attributes. Consider an application that has a users table containing an admin column. When creating a new account an attacker can pass in the parameter user[admin] set to 1 and make themselves an admin. The security implications of mass assignment have been documented since Rails's inception and yet many applications are still vulnerable.

Remediation

To avoid this, Rails provides two class methods in your Active Record class to control access to your attributes. The attr_protected method takes a list of attributes that will not be accessible for mass-assignment .A much better way, because it follows the whitelist-principle, is the attr_accessible method. It is the exact opposite of attr_protected, because it takes a list of attributes that will be accessible. All other attributes will be protected. This way you won't forget to protect attributes when adding new ones in the course of development. Here is an example:

attr_accessible :name
attr_accessible :name, :is_admin, :as => :admin

References

Ruby On Rails Security Guide

Ruby on Rails: Secure Mass Assignment

Related Vulnerabilities

Oracle Application Server Other Vulnerability (CVE-2000-0169)

MyBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2016-9421)

Oracle HTTP Server Improper Input Validation Vulnerability (CVE-2020-29507)

MySQL CVE-2023-22008 Vulnerability (CVE-2023-22008)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-16147)

Severity

High

Classification

CWE-915 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Abuse Of Functionality Known Vulnerabilities