Rails Mass Assignment

Rails Mass Assignment is a vulnerability specific to Ruby on Rails where user-submitted parameters are directly used to update model attributes, potentially allowing attackers to modify protected fields like admin flags or user IDs.

How It Works

Rails' ActiveRecord allows creating/updating records by passing a hash of attributes. Without proper protection, attackers can add unexpected parameters to modify any attribute in the model.

Vulnerable Code Example

# Vulnerable controller (Rails < 4)
def create
  @user = User.new(params[:user])
  @user.save
end

# Request with malicious parameters
POST /users
user[name]=John&user[email]=john@example.com&user[admin]=true

# Creates admin user!

Protection Methods

Strong Parameters (Rails 4+)

class UsersController < ApplicationController
  def create
    @user = User.new(user_params)
    @user.save
  end

  private

  def user_params
    params.require(:user).permit(:name, :email, :password)
    # :admin not permitted - protected!
  end
end

attr_accessible (Rails 3)

class User < ActiveRecord::Base
  attr_accessible :name, :email, :password
  # admin attribute not accessible through mass assignment
end

Famous Incident

The 2012 GitHub vulnerability where a security researcher used mass assignment to add his SSH key to the Rails organization, demonstrating the severity of this issue.

See Also

• Mass Assignment
• Insecure Direct Object Reference