ryanlowe / audit_mass_assignment
watch download tarball
public
Forks0Right
Watchers11Right
Description: Checks Ruby on Rails models for use of the attr_accessible white list.
Homepage: http://www.disruptiveagility.com/plugin/audit_mass_assignment
Clone URL: git://github.com/ryanlowe/audit_mass_assignment.git
name age
history
message
file .gitignore Sun May 25 21:28:48 -0700 2008 move audit code to a class [ryanlowe]
file .loadpath Wed Apr 30 21:09:05 -0700 2008 move from Google Code [ryanlowe]
file .project Wed Apr 30 21:09:05 -0700 2008 move from Google Code [ryanlowe]
file CHANGELOG Wed May 28 01:03:26 -0700 2008 bugfix: failures was size instead of array of f... [ryanlowe]
file MIT-LICENSE Wed Apr 30 21:12:22 -0700 2008 add MIT license [ryanlowe]
file README Mon May 26 10:33:12 -0700 2008 update installation instructions for GitHub gem [ryanlowe]
file Rakefile Sun May 25 21:28:48 -0700 2008 move audit code to a class [ryanlowe]
directory app/ Mon May 26 09:41:18 -0700 2008 add AuditUser to test attr_accessible nil [ryanlowe]
file audit_mass_assignment.gemspec Wed May 28 01:03:26 -0700 2008 bugfix: failures was size instead of array of f... [ryanlowe]
directory config/ Sun May 25 21:28:48 -0700 2008 move audit code to a class [ryanlowe]
directory db/ Mon May 26 09:41:18 -0700 2008 add AuditUser to test attr_accessible nil [ryanlowe]
file init.rb Sun May 25 21:28:48 -0700 2008 move audit code to a class [ryanlowe]
directory lib/ Wed May 28 01:03:26 -0700 2008 bugfix: failures was size instead of array of f... [ryanlowe]
directory script/ Mon May 26 09:41:18 -0700 2008 add AuditUser to test attr_accessible nil [ryanlowe]
directory tasks/ Wed May 28 01:03:26 -0700 2008 bugfix: failures was size instead of array of f... [ryanlowe]
directory test/ Wed May 28 01:03:26 -0700 2008 bugfix: failures was size instead of array of f... [ryanlowe]
README
Moved to GitHub from Google Code on May 1, 2008
Was hosted at http://code.google.com/p/audit-mass-assignment/

= audit_mass_assignment plugin for Ruby on Rails

  The audit_mass_assignment Ruby on Rails plugin contains a rake task that
  checks the models in your project for the attr_accessible whitelist approach
  for protecting against "mass assignment" exploits.  It does not check for
  use of attr_protected.

== Installation

  gem install ryanlowe-audit_mass_assignment --source http://gems.github.com/

== Usage

  $ rake audit:mass_assignment

== Notes

  If you want to protect ALL attributes in your model use:
  
    attr_accessible nil

  Why are "mass assignment" exploits a danger to Rails applications? See these links:
  
  1. rorsecurity.info: Do not create records directly from form parameters
     http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/
  
  2. Railscasts: Hackers Love Mass Assignment
     http://railscasts.com/episodes/26
  
  3. Rails Manual: Typical mistakes in Rails applications: Creating records directly from form parameters
     http://manuals.rubyonrails.com/read/chapter/47