#26 Hackers Love Mass Assignment (revised)
Mar 08, 2012 | 6 minutes | Active Record, Security, Models
One of the most common security issues in a Rails application is the mass-assignment vulnerability which allows a user to set any attribute on the model. Learn how to prevent it in this episode.
- source codeProject Files in Zip (102 KB)
- mp4Full Size H.264 Video (14.3 MB)
- m4vSmaller H.264 Video (7.39 MB)
- webmFull Size VP8 Video (8.49 MB)
- ogvFull Size Theora Video (16.3 MB)
Ryan, very useful as ever! One thing I noticed is near the end you mentioned about Dynamic Attributes covered in episode 239, it's actually episode 237 - thought it worth a mention :)
Nevermind, I just read the show notes.
Thank you! I was so confused at that.
Nice one Ryan - I blogged something similar a few days ago too (it includes DHH's example on how he deals with MAS as well) http://astonj.com/tech/rails-mass-assignment-security/
Yeah, after seeing DHH's example I had some fun spending a few minutes making a little "plugin" for that.
We already use the as option in our code though so I haven't had the chance to really work on that yet.
 = https://gist.github.com/2014589
 = http://guides.rubyonrails.org/security.html#countermeasures
Aha, very nice
I just rebuild my models with 'attr_accessible'
I was also just know that 'attr_accessible' is so important
This is not the first time that you mentioned this, as i remember you always use point this, your nifty-generators are the best example, thank you Ryan you are the best rails teacher!
Although this is a revised episode (and therefor subscriber only)
it is really a rather important one given recent events.
What about, this one time, making it a normal video and free to all to view?
Tax deductable if you own a business, or print out the invoice and ask your employer for a reimbursement. Just like David said below, this is one of the few places that I can always find good ACTIONABLE!! content and not feel ripped off, at $9 / month it's cheap.
I enjoyed Railscasts for years, I pretty much learned rails through railscasts. This month I got my subscription to pro. I don't regret one penny.
I guess, in the long run, that's necessary to keep Ryan doing what he does. Advertising financed only gets you so far.
And important episodes, like this one, may help in creating a bit more revenue, don't you think?
A colleague recommended me the original episode almost five years ago. When Railscasts went pro, I immediately subscribed.
It's my way of saying - I'm not doing it for the new content, but rather to show my appreciation.
And as far as I'm concerned, Ryan may very well not post anything for one year, the existing content alone is well worth the monthly subscription.
Jeffrey, It's well worth the Money. Could you think of a better investment? Either your career or business will love you for a railscasts subscription.
For everyone telling me to get a subscription. I already have one or I wouldn't have been able to comment here in the first place.
I was merely pointing out that since this is suddenly a large, important, issue which has blown up in everyone's faces maybe this one time the revised episode could go out to all in the spirit of public service.
Ryan, I believe this is a great time to revise #237 too: https://github.com/rails/rails/commit/1054ebd613c5596bc1ebb8d610d19e5fa374cca5
I believe the ActiveModel::MassAssignmentSecurity module was changed for the release of Rails 3.1.
Now you can do this (in a non-ActiveRecord class):
This has been exploding all over the interweb lately. Thanks for the vid!
Ryan, that was a very clear and concise explanation of the problem and a simple solution to the problem. Thanks!
Any hope of dynamic mass assignment making its way into CanCan? :)
attr_accessible can also take an option role using the :as option which allows you to define multiple levels of accessors. You can then use the :as option with new, create, create!, update_attributes, and update_attributes! methods to use the different levels of accessors. Alternatively you could use :without_protection => true if you wanted to bypass all of the mass assignment protection for a single statement, e.g., in a seed file.
Heads-up! New approach!
DHH advises against putting mass-assignment protection into the model:
p.s. Here's the blog of the Russian programmer, Egor Homakov, who cleverly brought this vulnerability to everyone's attention. BTW, the rails team supposedly ignored him ("guys in rails issues ingored me and my issue"). So, kudos to Egor!
On the other hand there is an argument for putting the protection into the model rather than controller:
See: Mass assignment vulnerability - how to force dev. define attr_accesible?
"config.active_record.whitelist_attributes = true" only works in Rails 3.1 or greater.