Comments on: Finding and fixing mass assignment problems in Rails applications

By: Mister Cox

Mister Cox — Tue, 09 Feb 2010 19:25:17 +0000

Ah, thanks! This cleared up some contradictions I’ve heard.

By: LRBlog » Blog Archive » Bypassing mass assignment for update_attributes

Sat, 14 Mar 2009 21:45:11 +0000

[...] been following this excellent post by M. Hartl and this post by E. Chapweske banishing mass assignment from one of my Rails applications due to [...]

By: Allan L.

Allan L. — Sun, 16 Nov 2008 06:42:15 +0000

Bless you, sir, for this write up and for the plugin!

Used it on my current project, showed me exactly where I needed to tighten things up.

By: mhartl

mhartl — Wed, 24 Sep 2008 17:25:05 +0000

Oh, I see what you mean. There’s no way in general for the plugin to distinguish between a true mass assignment problem and code that just looks that way. It simply flags possible mass assignment issues. As noted in the final example from the post, that means that it catches some code in the Insoshi Photos controller that is actually safe. The programmer (in this case, me) has to realize it’s not actually a bug.

Ultimately, the plugin’s output does rely on the programmer’s judgment to determine if the mass assignment in question is a problem or not. I’d love to improve its ability to discriminate between problems and non-problems, so if you think of any way to do that please fork the project on GitHub and send the changes my way.

By: Neil

Neil — Wed, 24 Sep 2008 07:11:19 +0000

Sorry, Michael. I didn’t make myself clear enough on this one. The plugin (IIRC) highlights my second example as a ‘mass assignment’ loophole, when it isn’t. I was suggesting the plugin could be altered to exclude these instances in MA results. I think this is a fantastic plugin and should be a part of every pre-deployment check, so that’s why I think the change is worth doing.

By: mhartl

mhartl — Tue, 23 Sep 2008 16:55:32 +0000

@Neil: There’s no need for a plugin in your case. Just write

Comment.update_attributes(:body => params[:comment][:body], :title => params[:comment][:title])

Since you provide the hash keys explicitly, this statement is not susceptible to mass assignment vulnerabilities.

By: Neil

Neil — Tue, 23 Sep 2008 08:13:45 +0000

Michael, thanks for this – it’s very, very useful! I’m using Paperclip instead of Attachment_fu so I get to avoid those issues.

I do have one suggestion (although, being a Rails newbie, I don’t know much about how the plugin works, or if this is even a worthy suggestion – but here goes…);

Could you make the plugin search specifically for;

@comment = Comment.update_attributes(params[:comment])

…instead of

@comment = Comment.update_attributes({:body, params[:comment][:body], :title, params[:comment][:title]})

I found a couple of examples where the plugin told me I had MA holes when I was only assigning a couple of new attributes.

Cheers

By: Sean Schofield

Sean Schofield — Tue, 23 Sep 2008 01:16:20 +0000

Thanks for the tip on using attr_protected with attachment_fu. That saved me a little bit of aggravation.

By: Eric

Eric — Mon, 22 Sep 2008 06:17:32 +0000

Thanks for highlighting the testing problem, these are some great tips.

By: Mass assignment in Rails applications « Insoshi Ruby on Rails blog

Mass assignment in Rails applications « Insoshi Ruby on Rails blog — Mon, 22 Sep 2008 01:19:49 +0000

[...] by an email from Eric Chapweske of Slantwise Design, I recently audited the Insoshi social network for mass assignment vulnerabilities. Doing this manually was annoying, so in the process I developed a simple plugin to find likely [...]