Possibly dangerous permitted parameter key detected.

• Rule ID: ruby_rails_unsafe_mass_assignment
• Languages: ruby
• Source: unsafe_mass_assignment.yml

Description

Safe-listing high-risk param keys makes Rails applications open to mass assignment vulnerability.

In Rails, mass assignment is when we use a hash to assign attributes all at once rather than individually. For example:

user_attributes = { name: "Mish", email: "mish@bearer.com" }
User.new(user_attributes)

When used with an untrusted hash (for example, the params hash in a controller), mass assignment is open to attack because any attribute on the record that corresponds to a key in the hash will be automatically assigned the value in the hash. An attacker could exploit this vulnerability to change their role and permissions or to assign themselves as an admin.

By default, Rails' strong parameters protect against mass assignment vulnerability; however, we must take care when safe-listing high-risk param keys.

Remediations

❌ Where possible, avoid safe-listed high-risk param keys such as :admin or :role

user_params = params(:user).permit!(:name, :email, :admin)

Resources

• OWASP Mass Assignment Cheat Sheet
• Ruby on Rails security guide on mass assignment

Associated CWE

• CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

OWASP Top 10

• A08:2021 - Software and Data Integrity Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_mass_assignment

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_mass_assignment