Possible dangerous permitted parameter key

Description

Safe-listing high-risk param keys makes Rails applications open to mass assignment vulnerability.

In Rails, mass assignment is when we use a hash to assign attributes all at once rather than individually. For example:

user_attributes = { name: "Mish", email: "mish@bearer.com" }
User.new(user_attributes)

When used with an untrusted hash (for example, the params hash in a controller), mass assignment is open to attack because any attribute on the record that corresponds to a key in the hash will be automatically assigned the value in the hash. An attacker could exploit this vulnerability to change their role and permissions or to assign themselves as an admin.

By default, Rails' strong parameters protect against mass assignment vulnerability; however, we must take care when safe-listing high-risk param keys.

Remediations

❌ Where possible, avoid safe-listed high-risk param keys such as :admin or :role

user_params = params(:user).permit!(:name, :email, :admin)

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_mass_assignment

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_mass_assignment

Ready to take the next step? Learn more about Bearer Cloud.