Possible dangerous permitted parameter key

• Rule ID: ruby_rails_unsafe_mass_assignment
• Languages: ruby
• Source: unsafe_mass_assignment.yml

Description

Permitting high-risk parameter keys in Rails applications exposes them to mass assignment vulnerabilities.

In Rails, mass assignment is when we use a hash to assign attributes all at once rather than individually. This feature is often used for creating or updating records.

When used with an untrusted hash (for example, the params hash in a controller), mass assignment is open to attack because any attribute on the record that corresponds to a key in the hash will be automatically assigned the value in the hash. An attacker could exploit this vulnerability to change their role and permissions or to assign themselves as an admin.

By default, Rails' strong parameters protect against mass assignment vulnerability. However, the inclusion of sensitive or high-risk keys in the permitted list can still leave the application vulnerable.

Remediations

• Do not include high-risk parameters such as :admin or :role in the list of permitted keys for mass assignment, to prevent attackers from exploiting these attributes to escalate their privileges.

  user_params = params.require(:user).permit(:admin, :role) # unsafe

• Do not use mass assignment with an untrusted hash, such as params.

  User.new(params) # unsafe

References

• OWASP Mass Assignment Cheat Sheet
• Ruby on Rails security guide on mass assignment

Associated CWE

• CWE-913: Improper Control of Dynamically-Managed Code Resources

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_mass_assignment

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_mass_assignment