RailsCasts Pro episodes are now free!

Learn more or hide this

Hackers Love Mass Assignment (revised)

#26 Hackers Love Mass Assignment (revised)

Mar 08, 2012 | 6 minutes | Active Record, Security, Models
One of the most common security issues in a Rails application is the mass-assignment vulnerability which allows a user to set any attribute on the model. Learn how to prevent it in this episode.
Click to Play Video ▶
  • Download:
  • source codeProject Files in Zip (102 KB)
  • mp4Full Size H.264 Video (14.3 MB)
  • m4vSmaller H.264 Video (7.39 MB)
  • webmFull Size VP8 Video (8.49 MB)
  • ogvFull Size Theora Video (16.3 MB)
Avatar
Stephen Provis over 12 years ago

Ryan, very useful as ever! One thing I noticed is near the end you mentioned about Dynamic Attributes covered in episode 239, it's actually episode 237 - thought it worth a mention :)

Avatar
Stephen Provis over 12 years ago

Nevermind, I just read the show notes.

Avatar
Mark Holmberg over 12 years ago

Thank you! I was so confused at that.

Avatar
AstonJ over 12 years ago

Nice one Ryan - I blogged something similar a few days ago too (it includes DHH's example on how he deals with MAS as well) http://astonj.com/tech/rails-mass-assignment-security/

Avatar
Mohammad El-Abid over 12 years ago

Yeah, after seeing DHH's example I had some fun spending a few minutes making a little "plugin" for that[1].
We already use the as option[2] in our code though so I haven't had the chance to really work on that yet.

[1] = https://gist.github.com/2014589
[2] = http://guides.rubyonrails.org/security.html#countermeasures

Avatar
余长洪 over 12 years ago

Aha, very nice
I just rebuild my models with 'attr_accessible'
I was also just know that 'attr_accessible' is so important

Avatar
Ismael G Marin C over 12 years ago

This is not the first time that you mentioned this, as i remember you always use point this, your nifty-generators are the best example, thank you Ryan you are the best rails teacher!

Avatar
Jeffrey Jones over 12 years ago

Although this is a revised episode (and therefor subscriber only)
it is really a rather important one given recent events.

What about, this one time, making it a normal video and free to all to view?

Avatar
waldrupm over 12 years ago

Tax deductable if you own a business, or print out the invoice and ask your employer for a reimbursement. Just like David said below, this is one of the few places that I can always find good ACTIONABLE!! content and not feel ripped off, at $9 / month it's cheap.

Avatar
Rainer Kuhn over 12 years ago

I enjoyed Railscasts for years, I pretty much learned rails through railscasts. This month I got my subscription to pro. I don't regret one penny.
I guess, in the long run, that's necessary to keep Ryan doing what he does. Advertising financed only gets you so far.

And important episodes, like this one, may help in creating a bit more revenue, don't you think?

Avatar
Daniel Mircea over 12 years ago

A colleague recommended me the original episode almost five years ago. When Railscasts went pro, I immediately subscribed.

It's my way of saying - I'm not doing it for the new content, but rather to show my appreciation.

And as far as I'm concerned, Ryan may very well not post anything for one year, the existing content alone is well worth the monthly subscription.

Avatar
David Henner over 12 years ago

Jeffrey, It's well worth the Money. Could you think of a better investment? Either your career or business will love you for a railscasts subscription.

Avatar
Jeffrey Jones over 12 years ago

For everyone telling me to get a subscription. I already have one or I wouldn't have been able to comment here in the first place.

I was merely pointing out that since this is suddenly a large, important, issue which has blown up in everyone's faces maybe this one time the revised episode could go out to all in the spirit of public service.

Avatar
Evan Marell over 12 years ago

I believe the ActiveModel::MassAssignmentSecurity module was changed for the release of Rails 3.1.

Now you can do this (in a non-ActiveRecord class):

ruby 
include ActiveModel::MassAssignmentSecurity

attr_accessible :first_name, :last_name
attr_accessible :first_name, :last_name, :plan_id, :as => :admin

http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity.html
http://api.rubyonrails.org/classes/ActiveModel/MassAssignmentSecurity/ClassMethods.html

Avatar
Andre Dublin over 12 years ago

This has been exploding all over the interweb lately. Thanks for the vid!

Avatar
Steven Little over 12 years ago

Ryan, that was a very clear and concise explanation of the problem and a simple solution to the problem. Thanks!

Avatar
Wade West over 12 years ago

Any hope of dynamic mass assignment making its way into CanCan? :)

Avatar
Joseph Weakley over 12 years ago

attr_accessible can also take an option role using the :as option which allows you to define multiple levels of accessors. You can then use the :as option with new, create, create!, update_attributes, and update_attributes! methods to use the different levels of accessors. Alternatively you could use :without_protection => true if you wanted to bypass all of the mass assignment protection for a single statement, e.g., in a seed file.

http://guides.rubyonrails.org/security.html#countermeasures

Avatar
Bardwin over 12 years ago

Heads-up! New approach!

DHH advises against putting mass-assignment protection into the model:

The basic idea is to move mass-assignment protection out of the model and into the controller where it belongs.

The whole point of the controller is to control the flow between user and application, including authentication, authorization, and as part of that access control.

This new approach is an extraction of the slice pattern and we're calling the plugin for it strong_parameters (already available as a gem as well).

See: http://weblog.rubyonrails.org/2012/3/21/strong-parameters/

p.s. Here's the blog of the Russian programmer, Egor Homakov, who cleverly brought this vulnerability to everyone's attention. BTW, the rails team supposedly ignored him ("guys in rails issues ingored me and my issue"). So, kudos to Egor!

Avatar
Bardwin over 12 years ago

On the other hand there is an argument for putting the protection into the model rather than controller:

Protecting attributes from within controllers sounds like a setup to have multiple points of fault. If I have more than one controller making saves/updates on the same model (ignoring a debate over if that is good design), then I have to remember to protect attributes in multiple controllers. If I handle mass assignment from the model, there's a single, definitive barrier between submitted params and persistence, irrespective of where that data originated. -- @Eleo

@Eleo exactly. That's what I tried to say [to] dhh in my gist. Controller has nothing to do with unintended params. It doesnt filter. It handles, manages, controls business logic.
IMO You should write your controllers way described below:
1) have all critical fields protected/updateable - accessible
2) control saving new record in controller using role checks, dependencies and abilities. Not just by filtering :user_id
3) Never simplify business logic for "update". People got role checks in "create" but trying to manage just "update_attributes" in edit and that's why this has happened. If you check role - check it on create and on update.

Don't be lazy. sic! -- @homakov

See: Mass assignment vulnerability - how to force dev. define attr_accesible?

Avatar
georgeu2000 over 12 years ago

"config.active_record.whitelist_attributes = true" only works in Rails 3.1 or greater.