Rails mass assignment

Description

This application may be vulnerable to Rails Mass Assignment, a security flaw that allows attackers to modify object attributes that should be protected. Mass assignment occurs when user-supplied parameters are directly used to populate model attributes without proper filtering. For example, when code like @user = User.new(params[:user]) is used, an attacker can inject additional parameters (such as user[admin]=1) to modify sensitive fields like admin privileges, account status, or other protected attributes. This vulnerability has been a known security concern in Rails applications since the framework's early versions.

Remediation

Implement proper attribute protection in all Active Record models to prevent unauthorized mass assignment. Rails provides several mechanisms to control which attributes can be set through mass assignment:

For Rails 3.x and earlier:
Use attr_accessible (whitelist approach - recommended) to explicitly define which attributes can be mass-assigned:

class User < ActiveRecord::Base
  attr_accessible :name, :email, :password
  # admin, role, and other attributes are now protected
end

Alternatively, use attr_protected (blacklist approach - less secure) to specify attributes that cannot be mass-assigned:

class User < ActiveRecord::Base
  attr_protected :admin, :role
end

For Rails 4.x and later:
Use Strong Parameters in controllers to explicitly permit allowed attributes:

class UsersController < ApplicationController
  def create
    @user = User.new(user_params)
  end

  private
  def user_params
    params.require(:user).permit(:name, :email, :password)
  end
end

Best Practices:
• Always use the whitelist approach (attr_accessible or Strong Parameters) rather than blacklisting
• Review all models to ensure sensitive attributes are protected
• Use role-based parameter filtering when different user types require different permissions
• Regularly audit your codebase for direct use of params hash in model instantiation
• Consider using form objects or service objects to further isolate mass assignment logic

References

Related Vulnerabilities