This repository is private.
All pages are served over SSL and all pushing and pulling is done over SSH.
No one may fork, clone, or view it unless they are added as a member.
Every repository with this icon (
) is private.
Every repository with this icon (
) is private.
This repository is public.
Anyone may fork, clone, or view it.
Every repository with this icon () is public.
Every repository with this icon (
) is public.
audit_mass_assignment / README
| 3708b011 » | ryanlowe | 2008-04-30 | 1 | Moved to GitHub from Google Code on May 1, 2008 | |
| 4a09fe09 » | ryanlowe | 2008-04-30 | 2 | Was hosted at http://code.google.com/p/audit-mass-assignment/ | |
| 3 | |||||
| 4b1ce3db » | ryanlowe | 2008-04-30 | 4 | = audit_mass_assignment plugin for Ruby on Rails | |
| 5 | |||||
| 6 | The audit_mass_assignment Ruby on Rails plugin contains a rake task that | ||||
| 7 | checks the models in your project for the attr_accessible whitelist approach | ||||
| 8 | for protecting against "mass assignment" exploits. It does not check for | ||||
| 9 | use of attr_protected! | ||||
| 10 | |||||
| 11 | If a Rails model does not use attr_accessible, it fails this audit. The | ||||
| 12 | audit does not check which parameters are accessible or protected, only | ||||
| 13 | that at least one is marked as accessible. | ||||
| 14 | |||||
| 4a09fe09 » | ryanlowe | 2008-04-30 | 15 | Run the audit whenever you feel like it! Other audit plugins for Rails | |
| 4b1ce3db » | ryanlowe | 2008-04-30 | 16 | could be created to automatically check for bad patterns or insecure | |
| 4a09fe09 » | ryanlowe | 2008-04-30 | 17 | code. This one was easy to implement. | |
| 4b1ce3db » | ryanlowe | 2008-04-30 | 18 | ||
| 19 | == Installation | ||||
| 20 | |||||
| 3708b011 » | ryanlowe | 2008-04-30 | 21 | It looks like Rails 2.1 will support "script/plugin install" with Git | |
| 22 | repositories. Until then you can put this plugin in vendor/plugins with: | ||||
| 23 | |||||
| 24 | git clone git://github.com/ryanlowe/audit_mass_assignment.git | ||||
| 25 | |||||
| 26 | and delete the .git directory inside it before committing it to source control. | ||||
| 27 | |||||
| 28 | When Rails 2.1 supports Git you should be able to do: | ||||
| 29 | |||||
| 30 | script/plugin install git://github.com/ryanlowe/audit_mass_assignment.git | ||||
| 4b1ce3db » | ryanlowe | 2008-04-30 | 31 | ||
| 32 | == Usage | ||||
| 33 | |||||
| 34 | $ rake audit:mass_assignment | ||||
| 35 | |||||
| 36 | == NOTES | ||||
| 37 | |||||
| 3708b011 » | ryanlowe | 2008-04-30 | 38 | If you want to protect ALL attributes in your model use: | |
| 4b1ce3db » | ryanlowe | 2008-04-30 | 39 | ||
| 40 | attr_accessible nil | ||||
| 41 | |||||
| 42 | Why are "mass assignment" exploits a danger to Rails applications? See these links: | ||||
| 43 | |||||
| 44 | 1. rorsecurity.info: Do not create records directly from form parameters | ||||
| 45 | http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/ | ||||
| 46 | |||||
| 47 | 2. Railscasts: Hackers Love Mass Assignment | ||||
| 48 | http://railscasts.com/episodes/26 | ||||
| 49 | |||||
| 50 | 3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters | ||||
| 51 | http://manuals.rubyonrails.com/read/chapter/47 | ||||
| 52 | |||||
| 53 | |||||
