Skip to content

robg/find_mass_assignment

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

32 Commits
lib
lib
 
 
tasks
tasks
 
 
MIT-LICENSE
MIT-LICENSE
 
 
README.markdown
README.markdown
 
 
Rakefile
Rakefile
 
 
init.rb
init.rb
 
 
install.rb
install.rb
 
 
uninstall.rb
uninstall.rb
 
 

Repository files navigation

Find Mass Assignment

A Rails plugin to find likely mass assignment vulnerabilities

The find_mass_assignment Rake task defined by the plugin finds likely mass assignment problems in Rails projects.

The method is to scan the controllers for likely mass assignment, and then find the corresponding models that don't have attr_accessible defined. Any time that happens, it's a potential problem.

Install this plugin as follows:

$ script/plugin install git://github.com/mhartl/find_mass_assignment.git

For more information, see my brief review of mass assignment and my discussion of how to fix mass assignment vulnerabilities in Rails.

Example

Suppose line 17 of the Users controller is

@user = User.new(params[:user])

but the User model doesn't define attr_accessible. Then we get the output

$ rake find_mass_assignment

/path/to/app/controllers/users_controller.rb
  17  @user = User.new(params[:user])

This indicates that the User model has a likely mass assignment vulnerability. In the case of no apparent vulnerabilities, the rake task simply returns nothing.

The Unix exit status code of the rake task is 0 on success, 1 on failure, which means it can be used in a pre-commit hook. For example, if you use Git for version control, you can check for mass assignment vulnerabilities before each commit by putting

rake find_mass_assignment

at the end of the .git/hooks/pre-commit file.* Any commits that introduce potential mass assignment vulnerabilities (as determined by the plugin) will then fail automatically.

*Be sure to make the pre-commit hook file executable if it isn't already:

$ chmod +x .git/hooks/pre-commit

(You might also want to comment out the weird Perl script that's the default pre-commit hook on some systems; it gives you warnings like "You have some suspicious patch lines" that you probably don't want.)

Unsafe attribute updates

It is often useful to override attr_accessible, especially at the console and in tests, so the plugin also adds an assortment of helper methods to Active Record:

  • unsafe_new
  • unsafe_build
  • unsafe_create/unsafe_create!
  • unsafe_update_attributes/unsafe_update_attributes!

These work just like their safe counterparts, except they bypass attr_accessible. For example,

Person.unsafe_new(:admin => true)

works even if admin isn't attr_accessible.

Copyright

Copyright (c) 2008 Michael Hartl, released under the MIT license

About

Find likely mass assignment vulnerabilities

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Ruby 100.0%