Permissive request parameters

• Rule ID: ruby_rails_permissive_parameters
• Languages: ruby
• Source: permissive_parameters.yml

Description

Allowing overly permissive request parameters can allow attackers to update any model attributes they choose.

Remediations

• Do not use blanket permissions for request parameters. This approach can inadvertently expose your application to unauthorized modifications.

  params.permit! # unsafe

• Do explicitly permit only the parameters that users are allowed to update. This practice helps safeguard your application by limiting what can be modified.

  params.permit(:name, :email)

Associated CWE

• CWE-913: Improper Control of Dynamically-Managed Code Resources

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_permissive_parameters

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_permissive_parameters