Insecure Mass Assignment¶
ID: rb/insecure-mass-assignmentKind: path-problemSecurity severity: 9.8Severity: errorPrecision: highTags: - security - external/cwe/cwe-915Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Click to see the query in the CodeQL repository
Operations that allow for mass assignment (setting multiple attributes of an object using a hash), such asActiveRecord::Base.new, should take care not to allow arbitrary parameters to be set by the user. Otherwise, unintended attributes may be set, such as anis_admin field for aUser object.
Recommendation¶
When using a mass assignment operation from user supplied parameters, useActionController::Parameters#permit to restrict the possible parameters a user can supply, rather thanActionController::Parameters#permit!, which permits arbitrary parameters to be used for mass assignment.
Example¶
In the following example,permit! is used which allows arbitrary parameters to be supplied by the user.
classUserController<ActionController::Basedefcreate# BAD: arbitrary params are permitted to be used for this assignmentUser.new(user_params).save!enddefuser_paramsparams.require(:user).permit!endend
In the following example, only specific parameters are permitted, so the mass assignment is safe.
classUserController<ActionController::Basedefcreate# GOOD: the permitted parameters are explicitly specifiedUser.new(user_params).save!enddefuser_paramsparams.require(:user).permit(:name,:email)endend
References¶
Rails guides:Strong Parameters.
Common Weakness Enumeration:CWE-915.