-
Notifications
You must be signed in to change notification settings - Fork 726
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reconsider check for foreign keys on mass assignment #1144
Comments
Just ran into this as well, and went digging to see what made the keys considered dangerous. And I found the change that added check. Right now breakman assumes any parameter ending in A number of the rails apps I maintain have a number of columns that have columns with |
Thanks for the feedback. Just want to point out I forgot to deduplicate the warnings, so the number should be reduced in the next release. |
It is raising way too many warnings here too, we have removed the check altogether. I do not understand why an attribute with We offer relationship choices in forms that validate with the model or just the database foreign key constraint. Let me know the security rationale behind, I will be glad to learn more. 🏫 |
From what I see in the code, I understand this was done to prevent ownership stealing. Let’s say for example one of your ressources has an I understand it may be overwhelming to whitelist all of the keys that you know are safe, but it should be a one time job. To me, this adds a nice safety net for developers who might be less experienced. And you can always disable that rule globally if you know that you covered all your keys with safety checks, or they are keys that are actually allowed to be edited by the users. |
I can agree with @louim that having this check is good to create awareness about potential ownership stealing. These are great warnings. But is there a way to work around this warning without just ignoring it. Take for example an associated field that does need that extra validation. |
While I agree that this is a worthwhile cause, the check is a blunt instrument that in effect will negate any positive effects as people will disable the check vs go through a ignore. The check needs to further validate, check that parameter is actually used as foreign key in assignment via the schema via the relationships, maybe look at linking it to 'objects that could be linked to ownership'. User models, i.e. identify a User model by the devise configuration elements. Look at the validation on that an ID prior to saving, for example in our app some 'IDs' that had been identified had been validated in before action filters against a while list. The thing that makes this change considerably more annoying and more likely to do more harm than good is that the issue description that brakeman links to in the Knowledge base is far from adequate to describe the problem or the reason why. It talks about the older mass assignment issue, given a lot of these are being raised in Strong Parameter usage the reader will read that detailed description and go wtf! and pretty much immediately turn off the check as it will look to them like a blatant False Positive. |
Thank you to everyone for your input. FWIW, this is a direct translation of an existing check prior to strong params: https://github.com/presidentbeef/brakeman/blob/master/lib/brakeman/checks/check_model_attr_accessible.rb
No, not really.
I don't see how that would be feasible. Maybe if Would people like to see the warning about |
I would prefer to have the |
IMO, brakeman shouldn't remove As much as possible, brakeman should reduce false positives, but if that is difficult, give warnings to potentially dangerous code, and users should check it. |
I think what I'll do is drop the |
Trying 4.1, and my app gets 91 warnings about "Potentially dangerous key allowed for mass assignment". I would guess that is attempting to prevent the user from submitting a value not presented by the UI and doing something nefarious, but to warn on any foreign key seems a bit much. This is an extremely common pattern when presenting the user with a drop down or radio buttons to select another model in your app (especially things like
country_id
,*_type_id
, etc.)The text was updated successfully, but these errors were encountered: