Find Mass Assignment

A Rails plugin to find likely mass assignment vulnerabilities

The find_mass_assignment Rake task defined by the plugin finds likely mass assignment problems in Rails projects.

The method is to scan the controllers for likely mass assignment, and then find the corresponding models that don't have attr_accessible defined. Any time that happens, it's a potential problem.

Install this plugin as follows:

$ script/plugin install git://github.com/mhartl/find_mass_assignment.git

For more information, see my brief review of mass assignment and my discussion of how to fix mass assignment vulnerabilities in Rails.

Warning: For convenience, the plugin defines some "unsafe" attribute updates (see below), including a method called unsafe_attributes= to bypass the attr_accessible restrictions. This means that any attribute protected with attr_protected can also be bypassed simply by hitting the application at a URL like

http://127.0.0.1:3000/.../?user[unsafe_attributes][admin]=1

As a result, if you use this plugin, always use attr_accessible in every model that is exposed to mass assignment via a web interface.

(I tried working around this in unsafe_attributes= by testing each attribute to make sure it wasn't protected, but merely testing whether attr_protected included a given attribute, using self.class.attr_protected.include?, somehow violated the restriction that no model can define both attr_accessible and attr_protected. The result was massive breakage in my test suites for any model that defined attr_accessible, which is usually all of them.)

Example

Suppose line 17 of the Users controller is

@user = User.new(params[:user])

but the User model doesn't define attr_accessible. Then we get the output

$ rake find_mass_assignment

/path/to/app/controllers/users_controller.rb
  17  @user = User.new(params[:user])

This indicates that the User model has a likely mass assignment vulnerability. In the case of no apparent vulnerabilities, the rake task simply returns nothing.

The Unix exit status code of the rake task is 0 on success, 1 on failure, which means it can be used in a pre-commit hook. For example, if you use Git for version control, you can check for mass assignment vulnerabilities before each commit by putting

rake find_mass_assignment

at the end of the .git/hooks/pre-commit file.* Any commits that introduce potential mass assignment vulnerabilities (as determined by the plugin) will then fail automatically.

*Be sure to make the pre-commit hook file executable if it isn't already:

$ chmod +x .git/hooks/pre-commit

(You might also want to comment out the weird Perl script that's the default pre-commit hook on some systems; it gives you warnings like "You have some suspicious patch lines" that you probably don't want.)

Unsafe attribute updates

It is often useful to override attr_accessible, especially at the console and in tests, so the plugin also adds an assortment of helper methods to Active Record:

• unsafe_new
• unsafe_build
• unsafe_create/unsafe_create!
• unsafe_update_attributes/unsafe_update_attributes!

These work just like their safe counterparts, except they bypass attr_accessible. For example,

Person.unsafe_new(:admin => true)

works even if admin isn't attr_accessible.

Copyright

Copyright (c) 2008 Michael Hartl, released under the MIT license