Possibly dangerous permitted parameter key detected.
- Rule ID: ruby_rails_unsafe_mass_assignment
- Languages: ruby
- Source: unsafe_mass_assignment.yml
Description
Safe-listing high-risk param keys makes Rails applications open to mass assignment vulnerability.
In Rails, mass assignment is when we use a hash to assign attributes all at once rather than individually. For example:
user_attributes = { name: "Mish", email: "mish@bearer.com" }
User.new(user_attributes)
When used with an untrusted hash (for example, the params
hash in a controller), mass assignment is open to attack because any attribute on the record that corresponds to a key in the hash will be automatically assigned the value in the hash. An attacker could exploit this vulnerability to change their role and permissions or to assign themselves as an admin.
By default, Rails' strong parameters protect against mass assignment vulnerability; however, we must take care when safe-listing high-risk param keys.
Remediations
❌ Where possible, avoid safe-listed high-risk param keys such as :admin or :role
user_params = params(:user).permit!(:name, :email, :admin)
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_rails_unsafe_mass_assignment
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_rails_unsafe_mass_assignment
Ready to take the next step? Learn more about Bearer Cloud.