mhartl / find_mass_assignment
watch download tarball
public
Forks3Right
Watchers64Right
Description: Find likely mass assignment vulnerabilities
Homepage:
Clone URL: git://github.com/mhartl/find_mass_assignment.git
name age
history
message
file MIT-LICENSE Tue May 05 12:40:12 -0700 2009 Updated plugin creator in license [mhartl]
file README.markdown Tue Apr 28 11:12:49 -0700 2009 Updated README URLs [mhartl]
file Rakefile Sat Sep 20 20:20:57 -0700 2008 init [mhartl]
file init.rb Mon Apr 27 12:50:49 -0700 2009 Added unsafe_build_and_create [mhartl]
file install.rb Sat Sep 20 20:20:57 -0700 2008 init [mhartl]
directory lib/ Thu Dec 03 16:18:37 -0800 2009 Proper behavior on create! (thanks to Steve Cha... [mhartl]
directory tasks/ Sat Sep 20 20:20:57 -0700 2008 init [mhartl]
file uninstall.rb Sat Sep 20 20:20:57 -0700 2008 init [mhartl]
README.markdown

Find Mass Assignment

A Rails plugin to find likely mass assignment vulnerabilities

The find_mass_assignment Rake task defined by the plugin finds likely mass assignment problems in Rails projects.

The method is to scan the controllers for likely mass assignment, and then find the corresponding models that don't have attr_accessible defined. Any time that happens, it's a potential problem.

Install this plugin as follows:

$ script/plugin install git://github.com/mhartl/find_mass_assignment.git

For more information, see my brief review of mass assignment and my discussion of how to fix mass assignment vulnerabilities in Rails.

Example

Suppose line 17 of the Users controller is

@user = User.new(params[:user])

but the User model doesn't define attr_accessible. Then we get the output

$ rake find_mass_assignment

/path/to/app/controllers/users_controller.rb
  17  @user = User.new(params[:user])

This indicates that the User model has a likely mass assignment vulnerability. In the case of no apparent vulnerabilities, the rake task simply returns nothing.

The Unix exit status code of the rake task is 0 on success, 1 on failure, which means it can be used in a pre-commit hook. For example, if you use Git for version control, you can check for mass assignment vulnerabilities before each commit by putting

rake find_mass_assignment

at the end of the .git/hooks/pre-commit file.* Any commits that introduce potential mass assignment vulnerabilities (as determined by the plugin) will then fail automatically.

*Be sure to make the pre-commit hook file executable if it isn't already:

$ chmod +x .git/hooks/pre-commit

(You might also want to comment out the weird Perl script that's the default pre-commit hook on some systems; it gives you warnings like "You have some suspicious patch lines" that you probably don't want.)

Unsafe attribute updates

It is often useful to override attr_accessible, especially at the console and in tests, so the plugin also adds an assortment of helper methods to Active Record:

  • unsafe_new
  • unsafe_build
  • unsafe_create/unsafe_create!
  • unsafe_update_attributes/unsafe_update_attributes!

These work just like their safe counterparts, except they bypass attr_accessible. For example,

Person.unsafe_new(:admin => true)

works even if admin isn't attr_accessible.

Copyright

Copyright (c) 2008 Michael Hartl, released under the MIT license