• Stars
    star
    115
  • Rank 305,916 (Top 7 %)
  • Language
    Ruby
  • License
    MIT License
  • Created about 16 years ago
  • Updated almost 14 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Find likely mass assignment vulnerabilities

Find Mass Assignment

A Rails plugin to find likely mass assignment vulnerabilities

The find_mass_assignment Rake task defined by the plugin finds likely mass assignment problems in Rails projects.

The method is to scan the controllers for likely mass assignment, and then find the corresponding models that don't have attr_accessible defined. Any time that happens, it's a potential problem.

Install this plugin as follows:

$ script/plugin install git://github.com/mhartl/find_mass_assignment.git

For more information, see my brief review of mass assignment and my discussion of how to fix mass assignment vulnerabilities in Rails.

Warning: For convenience, the plugin defines some "unsafe" attribute updates (see below), including a method called unsafe_attributes= to bypass the attr_accessible restrictions. This means that any attribute protected with attr_protected can also be bypassed simply by hitting the application at a URL like

http://127.0.0.1:3000/.../?user[unsafe_attributes][admin]=1

As a result, if you use this plugin, always use attr_accessible in every model that is exposed to mass assignment via a web interface.

(I tried working around this in unsafe_attributes= by testing each attribute to make sure it wasn't protected, but merely testing whether attr_protected included a given attribute, using self.class.attr_protected.include?, somehow violated the restriction that no model can define both attr_accessible and attr_protected. The result was massive breakage in my test suites for any model that defined attr_accessible, which is usually all of them.)

Example

Suppose line 17 of the Users controller is

@user = User.new(params[:user])

but the User model doesn't define attr_accessible. Then we get the output

$ rake find_mass_assignment

/path/to/app/controllers/users_controller.rb
  17  @user = User.new(params[:user])

This indicates that the User model has a likely mass assignment vulnerability. In the case of no apparent vulnerabilities, the rake task simply returns nothing.

The Unix exit status code of the rake task is 0 on success, 1 on failure, which means it can be used in a pre-commit hook. For example, if you use Git for version control, you can check for mass assignment vulnerabilities before each commit by putting

rake find_mass_assignment

at the end of the .git/hooks/pre-commit file.* Any commits that introduce potential mass assignment vulnerabilities (as determined by the plugin) will then fail automatically.

*Be sure to make the pre-commit hook file executable if it isn't already:

$ chmod +x .git/hooks/pre-commit

(You might also want to comment out the weird Perl script that's the default pre-commit hook on some systems; it gives you warnings like "You have some suspicious patch lines" that you probably don't want.)

Unsafe attribute updates

It is often useful to override attr_accessible, especially at the console and in tests, so the plugin also adds an assortment of helper methods to Active Record:

  • unsafe_new
  • unsafe_build
  • unsafe_create/unsafe_create!
  • unsafe_update_attributes/unsafe_update_attributes!

These work just like their safe counterparts, except they bypass attr_accessible. For example,

Person.unsafe_new(:admin => true)

works even if admin isn't attr_accessible.

Copyright

Copyright (c) 2008 Michael Hartl, released under the MIT license

More Repositories

1

rails_tutorial_sublime_text

Sublime Text 2 setup used in the Ruby on Rails Tutorial
Python
718
star
2

sample_app_3rd_edition

The sample app for the 3rd edition of the Ruby on Rails Tutorial
Ruby
231
star
3

git-utils

Git utility scripts
Ruby
145
star
4

rails_tutorial_4th_edition_gemfiles

Gemfiles for the 4th edition of the Ruby on Rails Tutorial
Ruby
139
star
5

sample_app_rails_3_2

Ruby on Rails Tutorial sample application
Ruby
137
star
6

action_cable_chat_app

The chat app for Learn Enough Action Cable to Be Dangerous
Ruby
62
star
7

rails_tutorial_snippets

Sublime Text 2 snippets used in the Ruby on Rails Tutorial
61
star
8

rails_tutorial_3rd_edition_gemfiles

The Gemfiles for the three example applications of the Ruby on Rails Tutorial (3rd Ed.)
Ruby
45
star
9

rails_tutorial_translation_2nd_ed

HTML source for the Ruby on Rails Tutorial, 2nd Edition, intended for translation
CSS
44
star
10

rails_tutorial_translation

Translations of the Ruby on Rails Tutorial book
Ruby
37
star
11

sample_app_4_0_upgrade

The upgraded sample app from the Ruby on Rails Tutorial
Ruby
27
star
12

pivotal-github

Ruby
25
star
13

rails_tutorial_translation_4_0_version

HTML source for the Rails 4.0 version of the Ruby on Rails Tutorial
CSS
23
star
14

ruby_tutorial

Files for Learn Enough Ruby to Be Dangerous
Ruby
14
star
15

js_tutorial

Learn Enough JavaScript to Be Dangerous tutorial directory
JavaScript
13
star
16

catch_cookie_exception

Catch and handle the CGI::Session::CookieStore::TamperedWithCookie exception that comes from changing the Rails secret string. See http://blog.insoshi.com/2008/08/15/a-security-issue-with-rails-secret-session-keys/
10
star
17

palindrome_app

A palindrome detector Sinatra App
Ruby
7
star
18

bullish_case_for_bitcoin

Light copyedit for "The Bullish Case for Bitcoin"
4
star
19

vim-files

Files for my (g)vim configuration
Vim Script
4
star
20

hello_app_heroku

Ruby
3
star
21

toy_app

A toy demo app for the Ruby on Rails Tutorial
Ruby
3
star
22

hello_app_original

A "hello, world" app for the Ruby on Rails Tutorial
Ruby
3
star
23

mhartl-palindrome

A sample NPM module for Learn Enough JavaScript to Be Dangerous
JavaScript
3
star
24

mhartl-archive.github.io

A sample website for Learn Enough CSS & Layout to Be Dangerous
CSS
3
star
25

js_tutorial_video

Learn Enough JavaScript to Be Dangerous tutorial directory
JavaScript
3
star
26

ruby-libraries

This is the repo for the talk Ruby Libraries Important for Rails from RailsConf 2013.
Ruby
3
star
27

another_test

3
star
28

mhartl_palindrome

Learn Enough Ruby palindrome detector
Ruby
2
star
29

enumerable

Repo for Enumerable talk
Ruby
2
star
30

le_custom_domains

HTML
2
star
31

python_package_tutorial

A sample package for Learn Enough Python to Be Dangerous by Michael Hartl
Python
2
star
32

example

Example site
HTML
1
star
33

book_name

1
star
34

yo

1
star
35

website_previous

A sample website for Learn Enough Git to Be Dangerous
HTML
1
star
36

mhartl_video_palindrome

Ruby
1
star
37

padrino_book

Working example of the Padrino book
TeX
1
star
38

demo_app

Ruby
1
star
39

first_app

The first app for the Ruby on Rails Tutorial
Ruby
1
star
40

foobaz_inclusion

Demonstrates file inclusion
TeX
1
star
41

barfing-rainbow

Illustrate a softcover thing
TeX
1
star
42

mhartl-palindrome-gem

Palindrome detector for Learn Enough Rub
Ruby
1
star
43

hungarian_book_template

A Softcover book template for Hungarian
TeX
1
star
44

failing_app_rails_4_0_rc1

A minimal failing app for Rails 4.0 RC1
Ruby
1
star
45

issues_test

1
star
46

foobaz

TeX
1
star
47

latex_sublime_text

Sublime Text snippets for LaTeX
1
star
48

foobar

Template PolyTeX book for Softcover
TeX
1
star
49

rails_tutorial_sample_app_7th_ed

1
star
50

book_template

Book template for long-form documents (including those for my math learning project)
TeX
1
star